Authenticated Command Injection Vulnerability in DrayTek Vigor3900 v1.5.1.6
CVE-2024-44845

8.8HIGH

Key Information:

Vendor: DrayTek
Status: Vigor3900 Firmware
Vendor: CVE Published:; 6 September 2024

What is CVE-2024-44845?

The DrayTek Vigor3900 is vulnerable to an authenticated command injection issue that arises from improper handling of user input, specifically through the value parameter in the filter_string function. This flaw can potentially allow an attacker with authenticated access to execute arbitrary commands on the device, leading to unauthorized actions and compromising the security of the network managed by the Vigor3900. Users of affected versions are advised to apply necessary security patches to mitigate the risks associated with this vulnerability.

References

https://github.com/3okfc/IOT-VUL-WP/blob/main/DaryTek/vig...

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2024