CVE-2024-12987 is an OS command injection vulnerability identified in the web management interface of DrayTek Vigor2960 and Vigor300B routers running firmware version 1.5.1.4. The vulnerability resides in an unspecified function within the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint, where the 'session' parameter is improperly sanitized, allowing an attacker to inject arbitrary operating system commands. This flaw can be exploited remotely over the network without requiring authentication or user interaction, making it highly accessible to attackers. Successful exploitation could lead to full compromise of the device, enabling attackers to execute arbitrary commands with the privileges of the web management interface process, potentially allowing lateral movement, data exfiltration, or disruption of network services. The vulnerability was publicly disclosed on December 27, 2024, with a CVSS v4.0 base score of 6.9, reflecting medium severity due to the lack of privilege requirements but significant impact on confidentiality, integrity, and availability. No known exploits have been observed in the wild yet. The vendor has released firmware version 1.5.1.5 to address this issue, and upgrading is strongly recommended to mitigate the risk.

The impact of CVE-2024-12987 is substantial for organizations using affected DrayTek Vigor2960 and Vigor300B devices. Exploitation allows remote attackers to execute arbitrary OS commands without authentication, potentially leading to full device compromise. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network services, and use of the compromised device as a pivot point for further attacks. Given that these devices often serve as critical network gateways or VPN concentrators, their compromise could severely affect organizational confidentiality, integrity, and availability. The public disclosure increases the risk of exploitation attempts. Organizations relying on these devices for secure network management are at risk of operational disruption and data breaches if not promptly patched.

To mitigate CVE-2024-12987, organizations should immediately upgrade affected DrayTek Vigor2960 and Vigor300B devices to firmware version 1.5.1.5 or later, which contains the fix for this vulnerability. In addition, network administrators should restrict access to the web management interface by implementing network segmentation and firewall rules to limit management access only to trusted IP addresses. Enabling multi-factor authentication and monitoring logs for unusual access patterns can help detect exploitation attempts. If upgrading is temporarily not possible, disabling remote management interfaces or restricting them to internal networks can reduce exposure. Regularly auditing device firmware versions and applying security patches promptly is critical. Finally, organizations should consider deploying intrusion detection systems to monitor for suspicious command injection attempts targeting these devices.