← back
CVE-2024-12987

DrayTek Vigor2960/Vigor300B Web Management Interface apmcfgupload os command injection

CVSS 6.9 MEDIUMEPSS 98.1%● KEVCWE-77CWE-78
In short

A flaw in DrayTek router web management allows attackers to inject and execute arbitrary system commands by manipulating a session parameter in the configuration upload function, potentially giving complete control over the device.

Technical detail

OS command injection vulnerability in /cgi-bin/mainfunction.cgi/apmcfgupload endpoint of DrayTek Vigor2960 and Vigor300B (v1.5.1.4) via unsanitized session parameter; remote exploitation is possible without authentication requirements specified. Attack vector leverages CWE-77 (improper neutralization of special elements) and CWE-78 (OS command injection), allowing arbitrary command execution with device privileges.

Summary generated and translated by AI from the official description.
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Affected products
DrayTek · Vigor2960DrayTek · Vigor300B
public PoCs found1
cve_referencenetsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdfhttps://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdfhttps://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdfhttps://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4https://vuldb.com/?ctiid.289380https://vuldb.com/?id.289380https://vuldb.com/?submit.468795https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12987