CVE-2024-45887

8.0 HIGH

Remote Code Execution

📋 TL;DR

DrayTek Vigor3900 routers running firmware version 1.5.1.3 contain a post-authentication command injection vulnerability in the OpenVPN configuration handler. This allows authenticated attackers to execute arbitrary commands with root privileges on the device. Organizations using affected DrayTek routers are at risk.

💻 Affected Systems

Products:

• DrayTek Vigor3900

Versions: 1.5.1.3

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to exploit, but default credentials may be in use.

📦 What is this software?

Vigor3900 Firmware by Draytek

View all CVEs affecting Vigor3900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, pivot to internal networks, intercept all traffic, or brick the device.

🟠

Likely Case

Attacker gains full control of the router to modify network configurations, intercept traffic, or use as a foothold for lateral movement.

🟢

If Mitigated

Limited to authenticated users only, reducing attack surface to authorized personnel or compromised credentials.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication but is straightforward once authenticated. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: Yes

Instructions:

1. Check DrayTek website for security advisories
2. Download latest firmware if available
3. Backup current configuration
4. Upload and install new firmware
5. Restart device
6. Restore configuration if needed

🔧 Temporary Workarounds

Disable OpenVPN Web Interface

all

Remove or restrict access to the vulnerable OpenVPN configuration interface

Network Segmentation

all

Isolate Vigor3900 management interface from untrusted networks

🧯 If You Can't Patch

• Implement strict access controls to management interface (IP whitelisting, VPN-only access)
• Change all default credentials and enforce strong authentication policies

🔍 How to Verify

Check if Vulnerable:

Copy

Check if device is running firmware version 1.5.1.3 and has OpenVPN functionality enabled

Check Version:

Copy

Login to web interface and check System Status > Firmware Information

Verify Fix Applied:

Copy

Verify firmware version is updated beyond 1.5.1.3 and test OpenVPN configuration functionality

📡 Detection & Monitoring

Log Indicators:

• Unusual POST requests to /cgi-bin/mainfunction.cgi with action=doOpenVPN
• Unexpected command execution in system logs

Network Indicators:

• Suspicious traffic patterns from router management interface
• Unexpected outbound connections from router

SIEM Query:

Copy

source="vigor3900" AND (uri="/cgi-bin/mainfunction.cgi" AND params.action="doOpenVPN")

📊 Metadata

CVE ID: CVE-2024-45887

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 4, 2024

Last Updated: April 10, 2025

🔗 References

• https://github.com/N1nEmAn/wp/blob/main/test_v.zip Broken Link
• https://github.com/fu37kola/cve/blob/main/DrayTek/Vigor3900/1.5.1.3/DrayTek_Vigor_3900_1.5.1.3.pdf Broken Link

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45887, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)

CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)

CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)