CVE-2024-45884
📋 TL;DR
DrayTek Vigor3900 firmware version 1.5.1.3 contains a post-authentication command injection vulnerability in the mainfunction.cgi endpoint. An attacker with valid credentials can execute arbitrary commands on the device with root privileges. This affects all organizations using the vulnerable firmware version.
💻 Affected Systems
- DrayTek Vigor3900
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to network pivoting, data exfiltration, ransomware deployment, or persistent backdoor installation.
Likely Case
Attacker gains full control of the router to intercept traffic, modify configurations, or use as a foothold for lateral movement.
If Mitigated
Limited impact due to strong authentication controls, network segmentation, and monitoring preventing credential compromise.
🎯 Exploit Status
Proof-of-concept code is publicly available. Exploitation requires valid credentials but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Unknown
Restart Required: Yes
Instructions:
1. Check DrayTek website for security advisories. 2. Download latest firmware if available. 3. Backup configuration. 4. Upload and install new firmware. 5. Verify installation and restore configuration if needed.
🔧 Temporary Workarounds
Restrict Web Interface Access
allLimit access to the router's web interface to trusted IP addresses only.
Strong Authentication Controls
allImplement multi-factor authentication, strong password policies, and account lockouts to prevent credential compromise.
🧯 If You Can't Patch
- Segment the router on a dedicated management VLAN with strict access controls.
- Implement network monitoring for unusual CGI requests to mainfunction.cgi with setSWMGroup action.
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface: System Maintenance > Firmware Information. If version is 1.5.1.3, device is vulnerable.Check Version:
No CLI command available. Check via web interface at System Maintenance > Firmware Information.Verify Fix Applied:
Verify firmware version has been updated to a version later than 1.5.1.3.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /cgi-bin/mainfunction.cgi with action=setSWMGroup containing shell metacharacters
- Unusual command execution in system logs
Network Indicators:
- Unusual outbound connections from router
- Traffic patterns indicating command-and-control communication
SIEM Query:
web.url: "*/cgi-bin/mainfunction.cgi*" AND web.param.action: "setSWMGroup" AND (web.param.*: "*;*" OR web.param.*: "*|*" OR web.param.*: "*`*" OR web.param.*: "*$(*")