Web Management Interface Command Injection Vulnerability in DrayTek Vigor Devices
CVE-2024-12987

6.9MEDIUM

Key Information:

Vendor

Draytek
Status
Vigor2960
Vigor300b
Vendor
CVE Published:
27 December 2024

Badges

📈 Score: 448👾 Exploit Exists🟡 Public PoC🟣 EPSS 77%🦅 CISA Reported📰 News Worthy

What is CVE-2024-12987?

CVE-2024-12987 is a critical vulnerability affecting DrayTek Vigor2960 and Vigor300B devices, specifically within their Web Management Interface. This vulnerability arises from an issue in the handling of specific commands, allowing for remote command injection. Such a flaw can have dire consequences for organizations, as it may enable attackers to execute malicious commands on the underlying operating system, potentially compromising system integrity and confidential information.

Technical Details

This vulnerability is located in the file /cgi-bin/mainfunction.cgi/apmcfgupload of the affected DrayTek devices, where an improper handling of the session argument can lead to os command injection. The flaw was introduced in version 1.5.1.4 and has been classified as critical due to its severity. Attackers can exploit this issue remotely, making it easier for threat actors to impact vulnerable systems without needing physical access.

Potential impact of CVE-2024-12987

  1. Unauthorized Access and Control: Attackers can gain unauthorized access to the affected devices, allowing them to execute arbitrary commands that could lead to full system compromise.

  2. Data Breach Risk: The ability to run commands remotely could expose sensitive data stored on or managed by the affected devices, leading to significant data leaks and regulatory implications for organizations.

  3. Increased Attack Surface: Exploitation of this vulnerability could serve as a foothold for further attacks within the network, enabling adversaries to move laterally and target additional systems, thereby escalating their attack.

CISA has reported CVE-2024-12987

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-12987 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Vigor2960 1.5.1.4

Vigor300B 1.5.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12987 - Proof of Concept

News Articles

favicon imageCISA (.gov)

CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.  CVE-2024-12987(link is external) DrayTek Vigor Routers OS Command Injection...

4 weeks ago

References

https://vuldb.com/?id.289380
vdb-entrytechnical-description
https://vuldb.com/?ctiid.289380
signaturepermissions-required
https://vuldb.com/?submit.468795
third-party-advisory

EPSS Score

77% chance of being exploited in the next 30 days.

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 📰

    First article discovered by CISA (.gov)

  • 🦅

    CISA Reported

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

netsecfish (VulDB User)
.
CVE-2024-12987 : Web Management Interface Command Injection Vulnerability in DrayTek Vigor Devices