CVE-2024-45890 identifies a command injection vulnerability in the DrayTek Vigor3900 router firmware version 1.5.1.3. The vulnerability arises from insufficient input validation or sanitization of the 'action' parameter in the 'cgi-bin/mainfunction.cgi' endpoint, specifically when the parameter is set to 'download_ovpn'. This endpoint likely handles OpenVPN configuration downloads or related VPN functions. Because the flaw is post-authentication, an attacker must first authenticate with valid credentials, but only low privileges are required. Once authenticated, the attacker can inject arbitrary OS commands through the vulnerable parameter, leading to remote code execution on the device. This can allow attackers to manipulate device configurations, intercept or redirect network traffic, install persistent backdoors, or disrupt device availability. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating command injection. The CVSS v3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. No patches or public exploits are currently reported, but the risk remains significant given the device’s role in network infrastructure.

The exploitation of CVE-2024-45890 can have severe consequences for organizations relying on DrayTek Vigor3900 routers. Successful command injection can lead to full device compromise, allowing attackers to alter firewall rules, intercept VPN traffic, or pivot into internal networks. Confidential information such as VPN credentials, internal IP schemes, and sensitive communications could be exposed or manipulated. Integrity of network traffic and device configurations can be compromised, potentially enabling persistent access or lateral movement. Availability may also be impacted if attackers disrupt device operations or cause denial of service. Given the device’s role in enterprise and ISP networks, exploitation could affect business continuity, data privacy compliance, and critical infrastructure security. The requirement for authentication limits exposure to insiders or attackers with stolen credentials, but the low privilege needed and lack of user interaction make exploitation feasible in many scenarios.

Organizations should immediately verify if they are running DrayTek Vigor3900 firmware version 1.5.1.3 and restrict access to the device management interface to trusted administrators only. Since no patch is currently available, consider implementing network segmentation to isolate the device from untrusted networks and limit administrative access via VPN or secure management channels. Enforce strong authentication mechanisms and monitor for unusual login attempts or command execution patterns. Employ intrusion detection systems to flag anomalous requests to 'cgi-bin/mainfunction.cgi'. Disable or restrict the 'download_ovpn' functionality if not required. Regularly audit device configurations and logs for signs of compromise. Once a vendor patch is released, apply it promptly. Additionally, consider deploying endpoint detection and response solutions to detect lateral movement stemming from compromised devices.