CVE-2024-45893 is a command injection vulnerability identified in the DrayTek Vigor3900 router firmware version 1.5.1.3. The flaw exists in the handling of the 'action' parameter within the 'cgi-bin/mainfunction.cgi' web interface endpoint, specifically when set to 'setSWMOption.' This parameter is vulnerable to injection of arbitrary commands due to insufficient input validation and sanitization, classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The vulnerability requires an attacker to be authenticated with at least low privileges (PR:L), but does not require user interaction (UI:N). The attack vector is adjacent network (AV:A), meaning the attacker must have network access to the device's management interface, typically via LAN or VPN. Successful exploitation allows an attacker to execute arbitrary OS commands with the privileges of the web server process, potentially leading to full system compromise, data exfiltration, or disruption of network services. The CVSS v3.1 base score of 8.0 reflects high impact on confidentiality, integrity, and availability. No public exploit code or patches have been published as of the vulnerability disclosure date (November 4, 2024), but the risk remains significant due to the critical nature of the flaw and the device's role in network infrastructure.

The vulnerability enables attackers with authenticated access to execute arbitrary commands on the DrayTek Vigor3900 router, potentially leading to full device compromise. This can result in unauthorized disclosure of sensitive network configuration and traffic data, modification or deletion of critical settings, and disruption or denial of network services. Given the router's role in managing network traffic and security policies, exploitation could allow attackers to pivot into internal networks, intercept or manipulate communications, and establish persistent footholds. Organizations relying on these devices for enterprise or ISP-grade connectivity face risks to operational continuity and data confidentiality. The absence of public exploits reduces immediate widespread threat but does not eliminate risk, especially from targeted attackers or insiders. The vulnerability's requirement for authentication limits exposure but does not negate the severity, as credential compromise or insider threats could facilitate exploitation.

1. Immediately restrict access to the DrayTek Vigor3900 management interface to trusted administrators only, preferably via secure VPN or isolated management VLANs. 2. Enforce strong authentication mechanisms and regularly rotate credentials to reduce the risk of unauthorized access. 3. Monitor device logs and network traffic for unusual commands or access patterns indicative of exploitation attempts. 4. Disable or limit the use of the vulnerable 'setSWMOption' functionality if possible through configuration or firmware settings. 5. Engage with DrayTek support or official channels to obtain and apply firmware updates or patches once available. 6. Implement network segmentation to isolate critical infrastructure and reduce the blast radius of a compromised device. 7. Conduct regular security audits and penetration testing focusing on network device management interfaces. 8. Educate administrators on the risks of post-authentication vulnerabilities and the importance of credential security. These steps go beyond generic advice by focusing on access control hardening, proactive monitoring, and configuration management specific to the affected device and vulnerability.