CVE-2024-51244 is a command injection vulnerability identified in the Draytek Vigor3900 router firmware version 1.5.1.3. The vulnerability resides in the mainfunction.cgi web interface, specifically within the doIPSec function, which processes input parameters related to IPSec configurations. Due to insufficient input validation or sanitization, an attacker with low privileges can inject arbitrary commands into this function, leading to remote command execution on the device. The vulnerability is exploitable remotely over the network (Attack Vector: Adjacent Network), requires low attack complexity, and only low privileges (PR:L) without any user interaction. The CVSS v3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability. Exploiting this vulnerability could allow attackers to take full control of the router, manipulate network traffic, disrupt services, or pivot into internal networks. Although no public exploits are reported yet, the presence of CWE-78 (Improper Neutralization of Special Elements used in OS Command) indicates a classic injection flaw that is often targeted by attackers. The vulnerability was reserved on 2024-10-28 and published on 2024-11-01, with no official patches currently available.

The exploitation of CVE-2024-51244 can have severe consequences for organizations relying on Draytek Vigor3900 routers. Successful command injection enables attackers to execute arbitrary commands with the privileges of the web interface process, potentially leading to full device compromise. This can result in unauthorized access to sensitive network configurations, interception or manipulation of network traffic, disruption of VPN services, and denial of service conditions. Additionally, compromised routers can serve as footholds for lateral movement within corporate networks or as launch points for further attacks. The confidentiality, integrity, and availability of network communications are all at risk, which can severely impact business operations, data privacy, and regulatory compliance. Given the router’s role in securing VPN connections, this vulnerability could expose remote access channels to interception or tampering.

1. Immediate mitigation should include restricting access to the router’s management interface, especially the mainfunction.cgi endpoint, by limiting it to trusted IP addresses or internal networks only. 2. Disable or restrict IPSec VPN functionality if not in use or if it can be temporarily suspended without business impact. 3. Monitor network traffic and router logs for unusual commands or access patterns indicative of exploitation attempts. 4. Implement network segmentation to isolate critical infrastructure from potentially compromised devices. 5. Apply any available firmware updates or patches from Draytek as soon as they are released. 6. If patches are not yet available, consider deploying Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with custom rules to detect and block command injection attempts targeting mainfunction.cgi. 7. Conduct regular security assessments and penetration tests focusing on router and VPN infrastructure to identify and remediate similar vulnerabilities proactively.