Command Injection Vulnerability in DrayTek Vigor3900 by DrayTek
CVE-2024-51245

8.8HIGH

Key Information:

Vendor: Draytek
Status: Vigor3900 Firmware
Vendor: CVE Published:; 1 November 2024

What is CVE-2024-51245?

A command injection vulnerability has been identified in the DrayTek Vigor3900 router, specifically in version 1.5.1.3. This flaw allows attackers to inject malicious commands into the mainfunction.cgi script. By exploiting the rename_table function, unauthorized users can execute arbitrary commands on the affected device, potentially compromising the system's security and integrity. Securing impacted systems is critical to prevent unauthorized access and ensure network safety.

References

https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor39...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 1, 2024
Vulnerability Reserved
Oct 28, 2024

Draytek

What is CVE-2024-51245?

References

CVSS V3.1

Timeline