CVE-2024-12986 is a critical security vulnerability identified in the DrayTek Vigor2960 and Vigor300B routers running firmware versions 1.5.1.3 and 1.5.1.4. The flaw resides in the Web Management Interface component, specifically in the processing of the /cgi-bin/mainfunction.cgi/apmcfgupptim endpoint. An attacker can manipulate the 'session' argument in HTTP requests to this CGI script to perform OS command injection. This means that arbitrary operating system commands can be executed remotely without authentication or user interaction. The vulnerability is remotely exploitable over the network, requiring no privileges or user involvement, which significantly raises the risk of exploitation. The disclosed CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, lack of required privileges or user interaction, and partial impact on confidentiality, integrity, and availability. However, the description classifies it as critical, likely due to the potential for full system compromise through command injection. The vendor has released firmware version 1.5.1.5 to address this issue, and upgrading is strongly recommended. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability could allow attackers to execute arbitrary commands on the device, potentially leading to full device compromise, network pivoting, data interception, or disruption of network services managed by these routers.

For European organizations using DrayTek Vigor2960 or Vigor300B routers with affected firmware versions, this vulnerability poses a significant risk. Successful exploitation could lead to complete compromise of the router, enabling attackers to intercept, manipulate, or disrupt network traffic. This can result in loss of confidentiality of sensitive communications, integrity breaches through traffic manipulation or injection, and availability impacts by disrupting network connectivity or causing device failures. Given that these routers often serve as critical network gateways or VPN endpoints, the impact extends beyond the device to the broader organizational network. This could facilitate lateral movement within corporate networks, data exfiltration, or launching further attacks against internal systems. The lack of authentication and user interaction requirements makes it easier for attackers to exploit remotely, increasing the threat surface. European organizations in sectors such as finance, healthcare, government, and critical infrastructure, which rely heavily on secure and stable network operations, are particularly at risk. Additionally, the public disclosure of the vulnerability may lead to increased scanning and exploitation attempts targeting vulnerable devices in Europe.

1. Immediate upgrade of all affected DrayTek Vigor2960 and Vigor300B devices to firmware version 1.5.1.5 or later, as provided by the vendor, to patch the vulnerability. 2. Restrict access to the Web Management Interface by implementing network segmentation and firewall rules to allow management access only from trusted internal IP addresses or VPNs. 3. Disable remote management features if not required, or enforce strong authentication and encrypted management channels (e.g., HTTPS with strong TLS configurations). 4. Monitor network traffic for unusual requests to /cgi-bin/mainfunction.cgi/apmcfgupptim or suspicious command injection patterns. 5. Employ intrusion detection/prevention systems (IDS/IPS) with updated signatures to detect exploitation attempts targeting this vulnerability. 6. Conduct regular vulnerability scans and penetration tests focusing on network devices to identify unpatched or misconfigured routers. 7. Maintain an asset inventory to quickly identify affected devices and ensure timely patch management. 8. Educate network administrators on the risks of command injection vulnerabilities and the importance of timely firmware updates.