Post-Authentication Command Injection in DrayTek Vigor3900
CVE-2024-45893

Currently unrated

Key Information:

Vendor: DrayTek
Status: Vigor3900
Vendor: CVE Published:; 4 November 2024

What is CVE-2024-45893?

The DrayTek Vigor3900 version 1.5.1.3 is susceptible to a command injection vulnerability that arises from improper handling of the 'action' parameter in the 'cgi-bin/mainfunction.cgi' script. An authenticated attacker can exploit this flaw by manipulating the 'setSWMOption' command, potentially allowing unauthorized system commands to be executed. This could lead to significant security breaches and compromise the integrity of the affected device.

References

https://github.com/N1nEmAn/wp/blob/main/test_v.zip

https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor39...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 4, 2024