IRONSMITHINTEL
HIGHCVSS7.3
|
Actively Exploited
|CISA KEV|CVE-2024-12987|Auth: none — unauthenticated|Reboot: required|Manual only

DrayTek Vigor Routers OS Command Injection Vulnerability

DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface.

Published Dec 27, 2024 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve partial data exposure, partial data tampering, partial service disruption. Federal agencies are required to remediate by 2025-06-05 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Command Injection (CWE-77) vulnerability in DrayTek Vigor Routers. A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component. Exploitation requires remote network access, low attack complexity, no authentication required, and no user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running vigor300b firmware: 1.5.1.4; vigor2960 firmware: 1.5.1.4
Real-world incidentsWhat we've seen

Active exploitation documented in the wild. Threat-research write-up: https://netsecfish.notion.site/Command-Injection-in-apmcfgupload-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c8040b7f1f0ffe29ce18f?pvs=4

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

References

    1
    Vendor advisory: https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-12987
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-12987
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-12987NVDVendor Advisory