DrayTek Vigor2960 and Vigor300B Web Management Interface OS Command Injection Vulnerability
CVE-2024-12987 Published on December 27, 2024
DrayTek Vigor2960/Vigor300B Web Management Interface apmcfgupload os command injection
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
Known Exploited Vulnerability
This DrayTek Vigor Routers OS Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.
The following remediation steps are recommended / required by June 5, 2025: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2024-12987 has been classified to as a Shell injection vulnerability or weakness.
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2024-12987 has been classified to as a Command Injection vulnerability or weakness.
Affected Versions
DrayTek Vigor2960:- Version 1.5.1.4 is affected.
- Version 1.5.1.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.