CVE-2024-45889 – DrayTek Vigor3900 routers version 1.5.1.3 conta... (How to Fix)

Q: What is the severity of CVE-2024-45889?

CVE-2024-45889 has a CVSS score of 8.0 (HIGH). DrayTek Vigor3900 routers version 1.5.1.3 contain a post-authentication command injection vulnerability in the mainfunction.cgi endpoint. Attackers with valid credentials can execute arbitrary commands on the device with root privileges. This affects organizations using these routers for network infrastructure.

📋 TL;DR

DrayTek Vigor3900 routers version 1.5.1.3 contain a post-authentication command injection vulnerability in the mainfunction.cgi endpoint. Attackers with valid credentials can execute arbitrary commands on the device with root privileges. This affects organizations using these routers for network infrastructure.

💻 Affected Systems

Products:

DrayTek Vigor3900

Versions: 1.5.1.3

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication but default credentials are commonly used. The vulnerability is in the web management interface.

📦 What is this software?

Vigor3900 Firmware by Draytek

View all CVEs affecting Vigor3900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attackers to pivot to internal networks, intercept/modify traffic, install persistent backdoors, or use the device for further attacks.

🟠

Likely Case

Attackers with stolen or default credentials gain full control of the router, enabling traffic interception, network reconnaissance, and lateral movement.

🟢

If Mitigated

With strong authentication and network segmentation, impact is limited to the router itself without allowing network pivoting.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication but is trivial to execute once credentials are obtained. Public proof-of-concept code exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check DrayTek website for firmware updates. If available, download latest firmware and apply through web interface: System Maintenance > Firmware Upgrade.

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to the router's web management interface to trusted IP addresses only.

Change Default Credentials

all

Ensure strong, unique passwords are set for all administrative accounts.

🧯 If You Can't Patch

Isolate the router in a separate VLAN with strict firewall rules
Disable remote management and only allow local console access

🔍 How to Verify

Check if Vulnerable:

Check if router is running version 1.5.1.3 via web interface: System Maintenance > Firmware Information

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is updated beyond 1.5.1.3

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed login attempts followed by successful login

Network Indicators:

Unusual outbound connections from router
Traffic patterns suggesting command and control

SIEM Query:

source="vigor3900" AND (event="command execution" OR event="shell" OR event="system")

📊 Metadata

CVE ID: CVE-2024-45889

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 4, 2024

Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45889, you might also want to check these: