CVE-2024-51247 is a command injection vulnerability identified in Draytek Vigor3900 routers running firmware version 1.5.1.3. The flaw resides in the mainfunction.cgi web interface, specifically within the doPPPo function, which processes certain inputs without adequate sanitization. Attackers with low-level privileges can inject arbitrary OS commands through crafted requests to this CGI endpoint, leading to remote code execution on the device. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that input validation is insufficient to prevent command injection. The CVSS v3.1 base score is 8.0, reflecting high severity due to the combination of low attack complexity, no user interaction required, and the potential for full system compromise affecting confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk given the critical role of routers in network infrastructure. The lack of an official patch at the time of disclosure necessitates immediate defensive measures to mitigate exploitation risk.

Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the affected Draytek Vigor3900 routers, potentially leading to full device compromise. This can result in unauthorized access to network traffic, interception or manipulation of data, disruption of network services, and use of the compromised device as a foothold for further attacks within an organization’s network. The impact extends to loss of confidentiality, integrity, and availability of network communications. Given the router’s role as a gateway device, attackers could pivot to internal systems or launch denial-of-service attacks. Organizations relying on these routers for critical connectivity or VPN services face increased risk of operational disruption and data breaches.

1. Immediately restrict access to the router’s management interfaces (especially mainfunction.cgi) to trusted IP addresses and networks only, using firewall rules or access control lists. 2. Disable remote management features if not required, or enforce strong authentication and encrypted management protocols. 3. Monitor network traffic and device logs for unusual or unauthorized requests targeting mainfunction.cgi or attempts to invoke the doPPPo function. 4. Implement network segmentation to limit exposure of the router management interface to untrusted networks. 5. Regularly check for firmware updates from Draytek and apply patches promptly once released to address this vulnerability. 6. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures to detect command injection attempts targeting this vulnerability. 7. Conduct security audits and penetration testing focused on router management interfaces to identify and remediate similar weaknesses.