CVE-2024-12986 – This critical vulnerability allows remote attac... (How to Fix)

Q: What is the severity of CVE-2024-12986?

CVE-2024-12986 has a CVSS score of 7.3 (HIGH). This critical vulnerability allows remote attackers to execute arbitrary operating system commands on affected DrayTek gateway devices through command injection in the web management interface. Attackers can exploit this to gain full control of the device without authentication. Organizations using DrayTek Vigor2960 or Vigor300B routers with vulnerable firmware versions are affected.

📋 TL;DR

This critical vulnerability allows remote attackers to execute arbitrary operating system commands on affected DrayTek gateway devices through command injection in the web management interface. Attackers can exploit this to gain full control of the device without authentication. Organizations using DrayTek Vigor2960 or Vigor300B routers with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

DrayTek Vigor2960
DrayTek Vigor300B

Versions: 1.5.1.3 and 1.5.1.4

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web management interface component. Devices with web management enabled are vulnerable.

📦 What is this software?

Vigor2960 Firmware by Draytek

View all CVEs affecting Vigor2960 Firmware →

Vigor300b Firmware by Draytek

View all CVEs affecting Vigor300b Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to pivot to internal networks, steal credentials, install persistent backdoors, or use the device as a botnet node.

🟠

Likely Case

Device takeover leading to network reconnaissance, credential harvesting, and potential lateral movement into connected networks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and public exploit details exist.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows complete device compromise which could be used as a foothold for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.1.5

Vendor Advisory: Not provided in references

Restart Required: Yes

Instructions:

1. Download firmware version 1.5.1.5 from DrayTek official website. 2. Log into device web interface. 3. Navigate to System Maintenance > Firmware Upgrade. 4. Upload the new firmware file. 5. Wait for upgrade to complete and device to reboot.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the vulnerable web interface component to prevent exploitation

Navigate to System Maintenance > Management > Web Config and disable HTTP/HTTPS access

Restrict Access with Firewall Rules

all

Limit access to the web management interface to trusted IP addresses only

Configure firewall rules to allow only specific management IPs to access port 80/443 on the device

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from critical networks
Monitor for suspicious command execution patterns and network traffic from affected devices

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface under System Maintenance > Firmware Information. If version is 1.5.1.3 or 1.5.1.4, device is vulnerable.

Check Version:

Check via web interface or SSH: show version (if SSH enabled)

Verify Fix Applied:

After upgrade, verify firmware version shows 1.5.1.5 in System Maintenance > Firmware Information.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed login attempts followed by successful access
Suspicious processes spawned from web interface

Network Indicators:

Unusual outbound connections from router to external IPs
Traffic patterns inconsistent with normal router operations
HTTP requests to /cgi-bin/mainfunction.cgi/apmcfgupptim with suspicious parameters

SIEM Query:

source="router_logs" AND (event="command_execution" OR event="process_spawn" OR uri="/cgi-bin/mainfunction.cgi/apmcfgupptim")

📊 Metadata

CVE ID: CVE-2024-12986

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-77

Published: December 27, 2024

Last Updated: May 28, 2025

🔗 References

https://netsecfish.notion.site/Command-Injection-in-apmcfgupptim-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c80b9ad8cc37b93273bf6?pvs=4 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.289379 Permissions Required,VDB Entry
https://vuldb.com/?id.289379 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.468794 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12986, you might also want to check these: