External risk intelligence

DrayTek Routers Command Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2024-12987

A command injection vulnerability exists in the web management interface of certain DrayTek routers, allowing remote attackers to execute OS commands. This poses a risk of unauthorized system control and data compromise. Prompt patching is recommended.

5Halo Surface Signal

OS Command Injection

Draytek Vigor300b Firmware

1.5.1.4

External exposure likelihood

Halo Surface Signal score for CVE-2024-12987

The vulnerability resides in the web management interface of DrayTek router gateways. Such network infrastructure appliances are designed to be managed over a network, and their management interfaces are frequently exposed to the internet or wide-area network segments in common deployment scenarios.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The web management interface of certain DrayTek routers is vulnerable due to a flaw in a specific function. This weakness allows for the injection of operating system commands, which could be exploited remotely. The potential impact includes unauthorized system control and data compromise.

  • Vulnerable web management interface
  • Allows OS command injection
  • Potential for system control compromise

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to the affected web management interface. This request can lead to the execution of arbitrary operating system commands on the targeted device. The attacker can then potentially gain unauthorized control over the system, impacting its operations and data. Organizations using the affected devices are at risk if this vulnerability is exploited.

  • Unauthenticated network access required.
  • Attacker sends malicious request.
  • OS command injection occurs.

Live Threat

Current exploitation, exposure, and threat context

A critical command injection vulnerability has been discovered in DrayTek Vigor2960 and Vigor300B routers. This vulnerability allows remote attackers to execute arbitrary operating system commands, potentially leading to full system compromise and lateral movement within an organization's network. Publicly available exploit code and its inclusion in the CISA Known Exploited Vulnerabilities catalog indicate a high likelihood of exploitation.

  • Likely attacker skill level: Low.
  • Required access or conditions: Unauthenticated remote access.
  • Business risk or urgency: Critical; immediate action required.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should address a command injection vulnerability affecting DrayTek Vigor2960 and Vigor300B devices. This vulnerability allows remote attackers to execute commands on the affected systems. Public disclosure of this exploit increases the risk to organizations utilizing these devices. The vendor has released a fix, and prompt action is recommended to mitigate potential business risk.

  • Identify all affected DrayTek devices.
  • Isolate vulnerable devices from the network.
  • Apply the vendor fix and validate.
  • Monitor for related security incidents.

Frequently asked questions

What is CVE-2024-12987 and what devices are affected?

CVE-2024-12987 is a critical OS command injection vulnerability found in the web management interface of DrayTek Vigor2960 and Vigor300B routers, specifically in version 1.5.1.4. This flaw can allow attackers to execute arbitrary commands on the device.

What type of vulnerability does CVE-2024-12987 represent and how is it exploited?

CVE-2024-12987 is an OS command injection vulnerability, categorized under CWE-77 and CWE-78. Attackers can exploit this by sending a crafted request to the web management interface, specifically targeting the /cgi-bin/mainfunction.cgi/apmcfgupload function, to inject and execute commands remotely.

What is the potential impact of CVE-2024-12987 if exploited?

Exploitation of CVE-2024-12987 can lead to the execution of arbitrary operating system commands, potentially granting attackers unauthorized control over the affected DrayTek devices. This could result in system compromise and data breaches.

Why is CVE-2024-12987 considered a significant threat?

The vulnerability is significant because it allows for remote exploitation by unauthenticated attackers, has publicly available exploit code, and is listed on the CISA Known Exploited Vulnerabilities catalog. The halo Surface Signal score indicates it is 'Very likely' to be exploited due to the nature of network-facing management interfaces.

How can organizations mitigate the risk associated with CVE-2024-12987?

Organizations should upgrade affected DrayTek Vigor2960 and Vigor300B routers to version 1.5.1.5 or later, as recommended by the vendor. Prompt patching is crucial to prevent exploitation of this command injection vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified