CVE-2024-45887 is a command injection vulnerability identified in the DrayTek Vigor3900 router firmware version 1.5.1.3. The vulnerability exists in the web management interface, specifically in the CGI script located at cgi-bin/mainfunction.cgi. When the 'action' parameter is set to 'doOpenVPN', the input is improperly sanitized, allowing an authenticated user with low privileges to inject arbitrary operating system commands. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The attack vector requires authentication but no user interaction beyond that. The CVSS v3.1 base score is 8.0, reflecting high severity due to the potential for full system compromise, including confidentiality, integrity, and availability impacts. The vulnerability could enable attackers to execute arbitrary commands, potentially leading to device takeover, network pivoting, or disruption of VPN services. As of the publication date, no patches or official mitigations have been released, and no known exploits are in the wild. The vulnerability highlights the risks of insufficient input validation in network device management interfaces, especially those exposed to internal or remote administrative access.

The impact of CVE-2024-45887 is significant for organizations using DrayTek Vigor3900 routers. Successful exploitation allows an authenticated attacker to execute arbitrary commands on the device, potentially leading to full device compromise. This can result in unauthorized access to sensitive network traffic, disruption of VPN services, and lateral movement within the network. Confidentiality is at risk as attackers may intercept or manipulate VPN traffic. Integrity can be compromised by altering device configurations or injecting malicious payloads. Availability may be affected if attackers disrupt routing or VPN functionality, causing network outages. Given the device's role in securing remote access via VPN, exploitation could expose critical infrastructure and sensitive organizational data. The lack of public exploits currently reduces immediate widespread risk, but the high severity score and ease of exploitation post-authentication make this a critical concern for affected organizations.

To mitigate CVE-2024-45887, organizations should immediately restrict access to the DrayTek Vigor3900 management interface to trusted administrators only, ideally via isolated management VLANs or VPNs. Implement strong authentication controls, including multi-factor authentication, to reduce the risk of credential compromise. Monitor device logs for unusual activity related to the 'doOpenVPN' action or unexpected command execution attempts. Network segmentation should be enforced to limit the impact of a compromised device. Until an official patch is released, consider disabling the vulnerable web management interface if operationally feasible or restrict access to it via firewall rules. Regularly check for firmware updates from DrayTek and apply patches promptly once available. Conduct internal vulnerability assessments and penetration tests focusing on router management interfaces to identify similar weaknesses. Educate administrators about the risks of command injection and the importance of secure configuration management.