CVE-2024-12987:
A critical OS command injection vulnerability in DrayTek Vigor2960 and Vigor300B Web Management Interface (apmcfgupload) can be exploited remotely by manipulating the session parameter; upgrading to firmware version 1.5.1.5 is recommended to remediate.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Dec 27, 2024
- CISA KEV Date:May 15, 2025
- Industries Affected:20
139 DaysThreat Predictions
- EPSS Score:79.5
- EPSS Percentile:99%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
A critical OS command injection vulnerability in DrayTek Vigor2960 and Vigor300B Web Management Interface (apmcfgupload) can be exploited remotely by manipulating the session parameter; upgrading to firmware version 1.5.1.5 is recommended to remediate.
Overview
DrayTek Vigor2960 and Vigor300B devices with the Web Management Interface are affected by an OS command injection vulnerability in the apmcfgupload function of /cgi-bin/mainfunction.cgi. The attacker can remotely manipulate a session parameter to run arbitrary commands on the device, potentially compromising control of the device itself. The issue has public exploit visibility and is addressed in firmware 1.5.1.5. Severity metrics vary across CVSS versions but align with a high-impact remote code execution risk, and upgrading to the fixed release is strongly recommended.
Remediation
- Upgrade affected devices (Vigor2960 and Vigor300B) to firmware version 1.5.1.5 or later from the vendor.
- If upgrading is not immediately possible, implement compensating controls:
- Restrict web management exposure to trusted networks only (prefer VPN access; disable public Internet access to the management interface).
- Place devices behind a firewall with strict access rules and monitor for unauthorized access attempts.
- Enforce strong authentication and monitor management logs for suspicious activity.
- After upgrade, verify the firmware version and perform basic functionality checks; monitor for any anomalous behavior and review release notes for confirmation of the fix.
References
- - [VDB-289380 | DrayTek Vigor2960/Vigor300B Web Management Interface apmcfgupload os command injection](https://vuldb.com/?id.289380)
- - [VDB-289380 CTI Indicators (IOB, IOC, TTP, IOA)](https://vuldb.com/?ctiid.289380)
- - [Submit #468795 | DrayTek Vigor2960, Vigor300B 1.5.1.4 Command Injection](https://vuldb.com/?submit.468795)
- - [Command Injection in apmcfgupload endpoint for DrayTek Gateway Devices](https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4)
- - [DrayTek Vigor3900 V1.5.1.5 release notes](https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdf)
- - [DrayTek Vigor2960 V1.5.1.5 release notes](https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf)
- - [DrayTek Vigor300B V1.5.1.5 release notes](https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf)
- - [CISA KEV entry for CVE-2024-12987](https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Jan 7, 2025
- CISA KEV Date:May 15, 2025
- Days Early:139 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
