CVE-2024-45891 identifies a command injection vulnerability in the DrayTek Vigor3900 router firmware version 1.5.1.3. The vulnerability arises from improper input validation of the 'action' parameter in the 'cgi-bin/mainfunction.cgi' CGI script, specifically when the parameter is set to 'delete_wlan_profile'. This flaw allows an attacker who has already authenticated with the device to inject arbitrary OS commands, leveraging CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network if the management interface is accessible. The CVSS 3.1 vector (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates the attack requires adjacent network access (e.g., VPN or internal network), low attack complexity, low privileges, no user interaction, and results in high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the potential for severe compromise of network infrastructure devices is significant. The lack of a published patch at the time of disclosure necessitates immediate compensating controls. This vulnerability could allow attackers to execute arbitrary commands, potentially leading to full device compromise, interception or manipulation of network traffic, and disruption of network services.

The impact of CVE-2024-45891 is substantial for organizations using DrayTek Vigor3900 routers, particularly those relying on these devices for critical network infrastructure. Successful exploitation can lead to full device compromise, enabling attackers to execute arbitrary commands with the privileges of the web management interface. This can result in unauthorized access to sensitive network configurations, interception or manipulation of data traversing the device, and disruption or denial of network services. The compromise of such routers can serve as a foothold for lateral movement within internal networks, increasing the risk of broader organizational breaches. Given the router's role in managing WLAN profiles, attackers could manipulate wireless configurations to further infiltrate or disrupt wireless networks. The requirement for authentication limits exposure to some extent, but insider threats or compromised credentials significantly increase risk. The absence of known exploits currently provides a window for mitigation, but the high CVSS score underscores the urgency for remediation. Organizations with remote management enabled or exposed management interfaces are particularly vulnerable, as attackers could exploit this flaw from adjacent networks or VPN connections.

To mitigate CVE-2024-45891, organizations should immediately restrict access to the DrayTek Vigor3900 management interface by limiting it to trusted internal networks and disabling remote management if not essential. Implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Monitor network traffic and device logs for unusual commands or access patterns indicative of exploitation attempts. Network segmentation should be employed to isolate management interfaces from general user networks. Until an official patch is released, consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block suspicious requests targeting the 'cgi-bin/mainfunction.cgi' endpoint with the 'delete_wlan_profile' action. Regularly update credentials and audit user accounts with access to the device. Engage with DrayTek support channels to obtain firmware updates or patches as soon as they become available. Additionally, conduct penetration testing and vulnerability assessments focused on network infrastructure to identify and remediate similar weaknesses proactively.