CVE-2024-45888 is a command injection vulnerability identified in DrayTek Vigor3900 routers running firmware version 1.5.1.3. The vulnerability arises from improper sanitization of the 'action' parameter in the CGI script 'cgi-bin/mainfunction.cgi' when it is set to 'set_ap_map_config'. This flaw allows an authenticated attacker with low privileges to execute arbitrary operating system commands on the device. The vulnerability is classified as CWE-78, indicating improper neutralization of OS command elements, which can lead to command injection. The CVSS v3.1 base score is 8.0, reflecting high severity due to its impact on confidentiality, integrity, and availability, combined with low attack complexity and no requirement for user interaction. The attack vector is adjacent network (AV:A), meaning the attacker must have some network access, typically within the same local or VPN network. Although no public exploits are currently reported, the vulnerability poses a significant risk to network infrastructure devices, potentially allowing attackers to take full control of affected routers, disrupt network operations, or pivot to internal networks. The lack of an official patch at the time of disclosure increases the urgency for interim mitigations. This vulnerability highlights the critical need for secure input validation in web management interfaces of network devices.

The impact of CVE-2024-45888 is substantial for organizations relying on DrayTek Vigor3900 routers as part of their network infrastructure. Exploitation could allow attackers to execute arbitrary commands with the privileges of the web management interface, potentially leading to full device compromise. This includes unauthorized access to sensitive network configurations, interception or manipulation of network traffic, disruption of network availability, and use of the device as a foothold for further attacks within the internal network. Organizations in sectors such as telecommunications, government, finance, and critical infrastructure that deploy these devices are at heightened risk. The vulnerability could facilitate espionage, data exfiltration, or denial of service, severely impacting business continuity and security posture. Given the device’s role in routing and network management, exploitation could also affect connected systems and services, amplifying the overall damage.

To mitigate CVE-2024-45888, organizations should immediately restrict access to the DrayTek Vigor3900 management interface to trusted networks and users only, preferably via VPN or secure management VLANs. Implement strict network segmentation to limit exposure of the device’s management interface. Monitor network traffic and device logs for unusual commands or access patterns indicative of exploitation attempts. Disable or restrict the vulnerable CGI endpoint if possible through configuration. Employ multi-factor authentication for device management to reduce the risk of unauthorized access. Regularly back up device configurations to enable rapid recovery if compromise occurs. Stay alert for official patches or firmware updates from DrayTek and apply them promptly once released. Additionally, consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures targeting command injection attempts against this device. Conduct security audits and penetration tests focusing on network device management interfaces to identify similar vulnerabilities.