CVE-2024-45884 identifies a command injection vulnerability in the DrayTek Vigor3900 router firmware version 1.5.1.3. The vulnerability is triggered via the 'action' parameter in the CGI endpoint 'cgi-bin/mainfunction.cgi' when set to 'setSWMGroup'. This parameter is insufficiently sanitized, allowing an authenticated attacker with low privileges to inject arbitrary OS commands. The flaw falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user-supplied input is not properly validated before being passed to system-level command execution functions. Exploitation requires authentication, which limits exposure but still poses a serious risk since many organizations use default or weak credentials or have exposed management interfaces. The vulnerability impacts confidentiality by enabling data disclosure, integrity by allowing unauthorized command execution, and availability by potentially disrupting device operation. The CVSS 3.1 base score is 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), reflecting that the attack vector is adjacent network, with low attack complexity, requiring privileges but no user interaction, and resulting in high impact across all security properties. No patches or public exploits are currently available, but the vulnerability is publicly disclosed and should be treated as a critical risk for affected devices.

The impact of CVE-2024-45884 is significant for organizations using DrayTek Vigor3900 routers, especially in enterprise, ISP, and critical infrastructure environments. Successful exploitation can lead to full compromise of the router, allowing attackers to execute arbitrary commands, potentially leading to data theft, network manipulation, persistent backdoors, or denial of service. This can disrupt business operations, compromise sensitive communications, and provide a foothold for lateral movement within networks. Since routers are critical network infrastructure components, their compromise can have cascading effects on network security and availability. The requirement for authentication reduces the risk of remote exploitation by unauthenticated attackers but does not eliminate it, as credential theft or weak/default passwords remain common. The absence of known exploits in the wild currently limits immediate widespread impact, but the public disclosure increases the risk of future exploitation attempts.

1. Immediately restrict administrative access to the DrayTek Vigor3900 management interface to trusted IP addresses and networks only, preferably via VPN or secure management channels. 2. Enforce strong, unique passwords and disable default credentials to reduce the risk of unauthorized authentication. 3. Monitor router logs and network traffic for unusual commands or activity related to the 'cgi-bin/mainfunction.cgi' endpoint, especially requests containing the 'setSWMGroup' action parameter. 4. Disable or limit CGI interface access if not required for operational purposes. 5. Apply firmware updates or patches from DrayTek as soon as they become available to address this vulnerability. 6. Consider network segmentation to isolate critical router management interfaces from general user networks. 7. Conduct regular security audits and penetration testing to detect potential exploitation attempts. 8. Implement multi-factor authentication for router management access if supported.