CVE-2024-45891 – DrayTek Vigor3900 firmware version 1.5.1.3 cont... (How to Fix)

📋 TL;DR

DrayTek Vigor3900 firmware version 1.5.1.3 contains a post-authentication command injection vulnerability in the delete_wlan_profile function. An attacker with valid administrator credentials can execute arbitrary commands on the device with root privileges. This affects all organizations using the vulnerable firmware version.

💻 Affected Systems

Products:

DrayTek Vigor3900

Versions: 1.5.1.3

Operating Systems: DrayTek proprietary firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrator credentials to exploit. Default credentials may be present in some deployments.

📦 What is this software?

Vigor3900 Firmware by Draytek

View all CVEs affecting Vigor3900 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept all network traffic, pivot to internal networks, and render the device inoperable.

🟠

Likely Case

Attacker with stolen or default credentials executes commands to create backdoor access, modify network configurations, or exfiltrate sensitive data.

🟢

If Mitigated

Limited to authenticated administrators only, with proper credential management preventing unauthorized access.

🌐 Internet-Facing: HIGH - Many DrayTek devices are deployed as internet-facing gateways, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal attackers with network access and valid credentials could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires valid administrator credentials. Public proof-of-concept code exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check DrayTek website for firmware updates
2. Download latest firmware
3. Backup current configuration
4. Upload and install new firmware via web interface
5. Restart device
6. Restore configuration if needed

🔧 Temporary Workarounds

Restrict administrative access

all

Limit administrative access to trusted IP addresses only

Configure firewall rules to restrict access to management interface from specific IPs

Change default credentials

all

Ensure strong, unique administrator passwords are used

Change admin password via web interface

🧯 If You Can't Patch

Isolate device in network segment with strict firewall rules
Implement network monitoring for suspicious commands to cgi-bin/mainfunction.cgi

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface under System Maintenance > Firmware Information. If version is 1.5.1.3, device is vulnerable.

Check Version:

Check via web interface or SSH: show version

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.5.1.3.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /cgi-bin/mainfunction.cgi with action=delete_wlan_profile containing shell metacharacters
Unusual command execution in system logs

Network Indicators:

HTTP traffic to management interface with suspicious parameters in POST data
Outbound connections from device to unexpected destinations

SIEM Query:

source="vigor3900" AND url="/cgi-bin/mainfunction.cgi" AND post_data CONTAINS "delete_wlan_profile" AND (post_data CONTAINS "|" OR post_data CONTAINS ";" OR post_data CONTAINS "`" OR post_data CONTAINS "$")

📊 Metadata

CVE ID: CVE-2024-45891

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: November 4, 2024

Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45891, you might also want to check these: