Post-Authentication Command Injection Vulnerability in DrayTek Vigor3900
CVE-2024-45889

Currently unrated

Key Information:

Vendor: DrayTek
Status: Vigor3900
Vendor: CVE Published:; 4 November 2024

Summary

The DrayTek Vigor3900 version 1.5.1.3 is susceptible to a post-authentication command injection vulnerability. This security flaw arises when the 'action' parameter in 'cgi-bin/mainfunction.cgi' is manipulated to execute arbitrary commands on the device. Successful exploitation can lead to unauthorized actions being performed with the privileges of the authenticated user, posing significant risks to network integrity and sensitive data.

References

https://github.com/N1nEmAn/wp/blob/main/test_v.zip

https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor39...

Timeline

Vulnerability published
Nov 4, 2024