CVE-2024-45885 is a command injection vulnerability identified in the DrayTek Vigor3900 router firmware version 1.5.1.3. The flaw exists in the handling of the 'action' parameter within the 'cgi-bin/mainfunction.cgi' endpoint, specifically when set to 'autodiscovery_clear'. This vulnerability is post-authentication, meaning an attacker must first authenticate to the device, but no further user interaction is required. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that unsanitized input is passed to an OS command execution context. The CVSS v3.1 score is 8.0, reflecting high severity with attack vector as adjacent network (AV:A), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Successful exploitation allows an attacker to execute arbitrary OS commands on the router, potentially leading to full device compromise, data exfiltration, network disruption, or pivoting to internal networks. No patches or exploit code are currently publicly available, but the vulnerability has been officially published and reserved since September 2024. The affected version is specifically 1.5.1.3, with no other versions explicitly mentioned. The vulnerability affects a critical network infrastructure device used in enterprise and ISP environments.

The impact of CVE-2024-45885 is significant for organizations relying on DrayTek Vigor3900 routers. Exploitation can lead to complete compromise of the device, allowing attackers to execute arbitrary commands with the privileges of the router’s management interface. This can result in unauthorized access to network traffic, disruption of network services, interception or modification of data, and potential lateral movement within the network. Given the router’s role in managing network traffic and security, a compromised device can undermine the overall security posture of an organization. The requirement for authentication limits exposure but does not eliminate risk, especially in environments where credentials may be weak, reused, or exposed. The absence of a patch increases the window of vulnerability, making proactive mitigation critical. The vulnerability could be leveraged in targeted attacks against enterprises, service providers, or government networks using this hardware.

To mitigate CVE-2024-45885, organizations should immediately restrict access to the management interface of DrayTek Vigor3900 devices, limiting it to trusted administrative networks and using VPNs or secure jump hosts where possible. Enforce strong, unique authentication credentials and consider multi-factor authentication if supported. Monitor router logs and network traffic for unusual command execution patterns or unauthorized access attempts. Disable or restrict the use of the 'autodiscovery_clear' function if configurable. Network segmentation should be employed to isolate management interfaces from general user networks. Regularly check for firmware updates from DrayTek and apply patches promptly once available. Additionally, conduct vulnerability scans and penetration tests focused on router management interfaces to detect potential exploitation attempts. Implement strict change management and incident response plans to quickly address any signs of compromise.