CVE-2024-43027

moderate-risk

Published 2024-08-21

DrayTek Vigor 3900 before v1.5.1.5_Beta, DrayTek Vigor 2960 before v1.5.1.5_Beta and DrayTek Vigor 300B before v1.5.1.5_Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi.

Do I need to act?

0.70% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.0/10 High

ADJACENT_NETWORK / LOW complexity

Affected Products (3)

Vigor300B Firmware

Vigor2960 Firmware

Vigor3900 Firmware

Affected Vendors

Draytek

References (1)

Exploit https://github.com/N1nEmAn/wp/blob/main/V3900.md

/ 100

moderate-risk

Severity 25/34 · High

Exploitability 2/34 · Minimal

Exposure 9/34 · Low