Post-Authentication Command Injection in DrayTek Vigor3900
CVE-2024-45893

Currently unrated

Key Information:

Vendor: DrayTek
Status: Vigor3900
Vendor: CVE Published:; 4 November 2024

Summary

The DrayTek Vigor3900 version 1.5.1.3 is susceptible to a command injection vulnerability that arises from improper handling of the 'action' parameter in the 'cgi-bin/mainfunction.cgi' script. An authenticated attacker can exploit this flaw by manipulating the 'setSWMOption' command, potentially allowing unauthorized system commands to be executed. This could lead to significant security breaches and compromise the integrity of the affected device.

References

https://github.com/N1nEmAn/wp/blob/main/test_v.zip

https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor39...

Timeline

Vulnerability published
Nov 4, 2024