CVE-2024-48074 is an authenticated remote code execution vulnerability identified in the DrayTek Vigor2960 router firmware version 1.4.4. The vulnerability exists in the doPPPoE function accessible via the cgi-bin/mainfunction.cgi CGI endpoint. Specifically, the 'table' parameter is vulnerable to command injection because the input is passed unsanitized to the system() function, allowing an attacker with authorized access to execute arbitrary system commands. This flaw is categorized under CWE-78 (Improper Neutralization of Special Elements used in an OS Command). The CVSS v3.1 base score is 8.0, reflecting high severity due to the potential for complete system compromise. The attack vector is adjacent network (AV:A), requiring low attack complexity (AC:L) and privileges (PR:L), with no user interaction (UI:N). The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No public exploit code or patches are currently available, increasing the urgency for organizations to implement mitigations. The vulnerability allows attackers to bypass normal security controls and execute arbitrary commands, potentially leading to full device takeover, network pivoting, data interception, or disruption of network services.

If exploited, this vulnerability could allow attackers to gain full control over affected DrayTek Vigor2960 routers, leading to severe consequences for organizations. Confidentiality could be compromised by intercepting or redirecting network traffic. Integrity could be undermined by modifying router configurations or injecting malicious payloads into the network. Availability could be disrupted by executing commands that disable network services or cause device crashes. Given the router's role as a network gateway, attackers could pivot to internal networks, escalate privileges, or establish persistent backdoors. This threat is particularly critical for organizations relying on these routers for secure WAN connectivity, including enterprises, ISPs, and critical infrastructure providers. The requirement for authenticated access limits exposure to insider threats or attackers who have compromised credentials, but the low complexity of exploitation and high impact make it a significant risk. The absence of patches or known exploits means organizations must act proactively to mitigate risk.

Organizations should immediately restrict access to the router's management interface to trusted administrators only, ideally via VPN or secure management networks. Implement strong authentication mechanisms and rotate credentials to prevent unauthorized access. Disable or restrict access to the vulnerable CGI endpoint (cgi-bin/mainfunction.cgi) if possible. Monitor router logs for suspicious activity related to the doPPPoE function or unusual command execution. Employ network segmentation to limit the impact of a compromised router. Until an official patch is released, consider deploying host-based intrusion detection systems (HIDS) or network intrusion detection systems (NIDS) with custom signatures to detect exploitation attempts targeting the 'table' parameter. Engage with DrayTek support for firmware updates or workarounds. Regularly audit device configurations and firmware versions to ensure compliance with security best practices. Finally, prepare incident response plans to quickly isolate and remediate affected devices if exploitation is suspected.