CVE-2024-12987 is a security vulnerability identified in the DrayTek Vigor2960 and Vigor300B routers, specifically affecting version 1.5.1.4 of their firmware. The flaw exists within the Web Management Interface component, more precisely in an unknown function related to the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint. The vulnerability arises from improper sanitization of the 'session' argument, which allows an attacker to perform OS command injection remotely without requiring authentication or user interaction. This means an attacker can execute arbitrary operating system commands on the affected device by crafting malicious requests to the vulnerable CGI script. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits in the wild have been reported so far. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) highlights that the attack can be launched remotely over the network with low attack complexity, no privileges or user interaction required, and impacts confidentiality, integrity, and availability to a limited extent. The vendor has addressed this vulnerability in firmware version 1.5.1.5, and upgrading to this version or later is recommended to mitigate the risk.

For European organizations, this vulnerability poses a significant risk especially to enterprises, ISPs, and critical infrastructure operators that deploy DrayTek Vigor2960 or Vigor300B routers in their network environments. Successful exploitation could allow attackers to gain unauthorized control over the affected routers, leading to potential interception or manipulation of network traffic, disruption of network services, or use of the compromised device as a foothold for further attacks within the internal network. Given that these routers are often used in small to medium business environments and branch offices, exploitation could result in data breaches, loss of network availability, and compromise of sensitive communications. The ability to execute arbitrary OS commands remotely without authentication increases the threat level, as attackers can automate attacks and potentially pivot to other internal systems. Although no active exploits have been reported, the public disclosure of the vulnerability increases the likelihood of future attacks. Organizations in Europe must consider the impact on confidentiality, integrity, and availability of their network infrastructure and data, especially in sectors such as finance, healthcare, and government where network security is critical.

European organizations using DrayTek Vigor2960 or Vigor300B routers should immediately verify their firmware version and upgrade to version 1.5.1.5 or later, which contains the patch for this vulnerability. Network administrators should restrict access to the router’s web management interface by limiting it to trusted IP addresses or internal networks only, and disable remote management if not required. Implement network segmentation to isolate management interfaces from general user traffic. Employ intrusion detection and prevention systems (IDS/IPS) to monitor and block suspicious requests targeting the vulnerable CGI endpoint. Regularly audit router configurations and logs for signs of unauthorized access or command injection attempts. Additionally, organizations should maintain an up-to-date asset inventory to quickly identify affected devices and apply patches promptly. Where possible, consider deploying alternative secure management protocols such as SSH with strong authentication instead of web-based management interfaces. Finally, establish incident response procedures to quickly contain and remediate any compromise resulting from exploitation of this vulnerability.