CVE-2024-12987
Published: 27 December 2024
Summary
CVE-2024-12987 is a medium-severity Command Injection (CWE-77) vulnerability in Draytek Vigor300B Firmware. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A critical OS command injection vulnerability affects the web management interface of DrayTek Vigor2960 and Vigor300B devices running firmware 1.5.1.4. The flaw resides in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where unsanitized input to the session argument allows arbitrary command execution. Both CWE-77 and CWE-78 are referenced, and the issue can be triggered remotely without authentication.
An unauthenticated attacker can send a crafted HTTP request to the affected endpoint and obtain command execution on the device. Publicly disclosed exploit code demonstrates remote code execution, enabling an adversary to run operating-system commands with the privileges of the web server process.
Vendor firmware version 1.5.1.5 resolves the issue. DrayTek’s release notes and the associated advisory recommend immediate upgrade of the affected Vigor2960 and Vigor300B units.
The EPSS score has reached a peak of 0.8286 with a current value of 0.7899, indicating substantial exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51246
Vulnerability details
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command…
more
injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
- CWE(s)
- KEV Date Added
- 15 May 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation and sanitization of the untrusted 'session' argument passed to /cgi-bin/mainfunction.cgi/apmcfgupload.
Mandates timely application of the vendor-supplied firmware upgrade to 1.5.1.5 that removes the command-injection flaw in the apmcfgupload handler.
Requires identification and authentication before any access to the Web Management Interface, blocking the unauthenticated remote exploitation path described in the CVE.