CVE-2024-12987 is an OS command injection vulnerability identified in DrayTek Vigor2960 and Vigor300B routers running firmware version 1.5.1.4. The vulnerability resides in the web management interface component, specifically within the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint. An attacker can manipulate the 'session' parameter to inject arbitrary operating system commands, which the device executes with the privileges of the web management interface process. This flaw requires no authentication or user interaction, enabling remote attackers to potentially take full control of the affected device. The vulnerability has been assigned a CVSS 4.0 base score of 6.9, reflecting its medium severity due to the ease of remote exploitation but limited scope of impact. The vendor has released firmware version 1.5.1.5 to address this issue. While no active exploitation has been reported, the public disclosure of the vulnerability increases the risk of future attacks, especially targeting network infrastructure devices that are often exposed to the internet or internal networks.

For European organizations, the exploitation of CVE-2024-12987 could lead to significant security breaches. Successful command injection can allow attackers to execute arbitrary commands, potentially leading to full device compromise, interception or manipulation of network traffic, disruption of network services, and lateral movement within corporate networks. This is particularly critical for organizations relying on DrayTek Vigor2960 or Vigor300B routers as perimeter or internal network gateways. Compromise could result in data exfiltration, espionage, or denial of service. The impact is heightened in sectors such as government, finance, telecommunications, and critical infrastructure, where network integrity and confidentiality are paramount. Additionally, the lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation if devices remain unpatched.

European organizations should immediately verify if they are using DrayTek Vigor2960 or Vigor300B devices running firmware version 1.5.1.4. The primary mitigation is to upgrade all affected devices to firmware version 1.5.1.5 or later, which contains the patch for this vulnerability. Network administrators should restrict access to the web management interface by implementing IP whitelisting or VPN-only access to management interfaces to reduce exposure. Monitoring network traffic for unusual commands or access patterns targeting the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint can help detect exploitation attempts. Additionally, organizations should conduct regular vulnerability assessments and penetration tests focusing on network infrastructure devices. Implementing network segmentation to isolate management interfaces and applying strict firewall rules can further reduce the attack surface.