CVE-2024-12986

high-risk

Published 2024-12-27

A vulnerability, which was classified as critical, has been found in DrayTek Vigor2960 and Vigor300B 1.5.1.3/1.5.1.4. This issue affects some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim of the component Web Management Interface. The manipulation of the argument session leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Do I need to act?

70.3% chance of exploitation in next 30 days

EPSS score — higher than 30% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.3/10 High

NETWORK / LOW complexity

Affected Products (2)

Vigor300B Firmware

Vigor2960 Firmware

Affected Vendors

Draytek

References (4)

Exploit https://netsecfish.notion.site/Command-Injection-in-apmcfgupptim-endpoint-for-Dr...

Permissions Required https://vuldb.com/?ctiid.289379

Third Party Advisory https://vuldb.com/?id.289379

Third Party Advisory https://vuldb.com/?submit.468794

/ 100

high-risk

Severity 26/34 · High

Exploitability 19/34 · Moderate

Exposure 7/34 · Low