Cyber Resilience

CVE-2024-12987

MediumCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 27 December 2024

Published
27 December 2024
Modified
30 October 2025
KEV Added
15 May 2025
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7899 99.1th percentile
Risk Priority 81 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12987 is a medium-severity Command Injection (CWE-77) vulnerability in Draytek Vigor300B Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A critical OS command injection vulnerability affects the web management interface of DrayTek Vigor2960 and Vigor300B devices running firmware 1.5.1.4. The flaw resides in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where unsanitized input to the session argument allows arbitrary command execution. Both CWE-77 and CWE-78 are referenced, and the issue can be triggered remotely without authentication.

An unauthenticated attacker can send a crafted HTTP request to the affected endpoint and obtain command execution on the device. Publicly disclosed exploit code demonstrates remote code execution, enabling an adversary to run operating-system commands with the privileges of the web server process.

Vendor firmware version 1.5.1.5 resolves the issue. DrayTek’s release notes and the associated advisory recommend immediate upgrade of the affected Vigor2960 and Vigor300B units.

The EPSS score has reached a peak of 0.8286 with a current value of 0.7899, indicating substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command…

more

injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

CWE(s)
KEV Date Added
15 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

draytek
vigor300b firmware
1.5.1.4
draytek
vigor2960 firmware
1.5.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation and sanitization of the untrusted 'session' argument passed to /cgi-bin/mainfunction.cgi/apmcfgupload.

prevent

Mandates timely application of the vendor-supplied firmware upgrade to 1.5.1.5 that removes the command-injection flaw in the apmcfgupload handler.

prevent

Requires identification and authentication before any access to the Web Management Interface, blocking the unauthenticated remote exploitation path described in the CVE.

References