CVE-2024-12987

A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

CVSS v3 7.3 HIGH
CVSS v2.0 7.5 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4	Exploit Third Party Advisory
https://vuldb.com/?ctiid.289380	Permissions Required VDB Entry
https://vuldb.com/?id.289380	Third Party Advisory VDB Entry
https://vuldb.com/?submit.468795	Third Party Advisory VDB Entry
https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf	Release Notes
https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf	Release Notes
https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf	Not Applicable

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:draytek:vigor300b_firmware:1.5.1.4:*:*:*:*:*:*:*

cpe:2.3:h:draytek:vigor300b:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:draytek:vigor2960_firmware:1.5.1.4:*:*:*:*:*:*:*

cpe:2.3:h:draytek:vigor2960:-:*:*:*:*:*:*:*

History

16 May 2025, 18:43

Type	Values Removed	Values Added
References	~~() https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4 -~~	() https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4 - Exploit, Third Party Advisory
References	~~() https://vuldb.com/?ctiid.289380 -~~	() https://vuldb.com/?ctiid.289380 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.289380 -~~	() https://vuldb.com/?id.289380 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.468795 -~~	() https://vuldb.com/?submit.468795 - Third Party Advisory, VDB Entry
References	~~() https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf -~~	() https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf - Release Notes
References	~~() https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf -~~	() https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf - Release Notes
References	~~() https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf -~~	() https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf - Not Applicable
First Time		Draytek vigor300b Firmware Draytek vigor2960 Draytek vigor2960 Firmware Draytek Draytek vigor300b
CPE		cpe:2.3:o:draytek:vigor300b_firmware:1.5.1.4:::::::* cpe:2.3:h:draytek:vigor2960:-:::::::* cpe:2.3:h:draytek:vigor300b:-:::::::* cpe:2.3:o:draytek:vigor2960_firmware:1.5.1.4:::::::*

15 May 2025, 01:15

Type	Values Removed	Values Added
References		() https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf - () https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf - () https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf -

14 May 2025, 17:15

Type	Values Removed	Values Added
References	~~{'url': 'https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}~~
Summary		(es) Se ha encontrado una vulnerabilidad clasificada como crítica en DrayTek Vigor2960 y Vigor300B 1.5.1.4. Se trata de una función desconocida del archivo /cgi-bin/mainfunction.cgi/apmcfgupload del componente Web Management Interface. La manipulación del argumento session provoca la inyección de comandos del sistema operativo. Es posible lanzar el ataque de forma remota. El exploit se ha hecho público y puede utilizarse. La actualización a la versión 1.5.1.5 puede solucionar este problema. Se recomienda actualizar el componente afectado.

27 Dec 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-27 16:15

Updated : 2025-05-16 18:43

NVD link : CVE-2024-12987

Mitre link : CVE-2024-12987

CVE.ORG link : CVE-2024-12987

JSON object : View

Products Affected

draytek

vigor300b
vigor2960
vigor300b_firmware
vigor2960_firmware

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-12987", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-12-27T16:15:24.143", "references": [{"url": "https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4", "tags": ["Exploit", "Third Party Advisory"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.289380", "tags": ["Permissions Required", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.289380", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.468795", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cna@vuldb.com"}, {"url": "https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad clasificada como cr\u00edtica en DrayTek Vigor2960 y Vigor300B 1.5.1.4. Se trata de una funci\u00f3n desconocida del archivo /cgi-bin/mainfunction.cgi/apmcfgupload del componente Web Management Interface. La manipulaci\u00f3n del argumento session provoca la inyecci\u00f3n de comandos del sistema operativo. Es posible lanzar el ataque de forma remota. El exploit se ha hecho p\u00fablico y puede utilizarse. La actualizaci\u00f3n a la versi\u00f3n 1.5.1.5 puede solucionar este problema. Se recomienda actualizar el componente afectado."}], "lastModified": "2025-05-16T18:43:30.507", "cisaActionDue": "2025-06-05", "cisaExploitAdd": "2025-05-15", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:draytek:vigor300b_firmware:1.5.1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0357964-F484-4DB3-BCAD-1E02639357C4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:draytek:vigor300b:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DA5B988D-ED1A-4CBF-8B34-C5B03A55ED52"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:draytek:vigor2960_firmware:1.5.1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "564753CE-A701-4D76-94D8-C452AF0C5E82"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:draytek:vigor2960:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8FDA3905-67DD-4F31-AFCF-014F1D7CCC1F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cna@vuldb.com", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "DrayTek Vigor Routers OS Command Injection Vulnerability"}

7.3 /10