CVE-2024-51253 is a command injection vulnerability identified in the Draytek Vigor3900 router firmware version 1.5.1.3. The vulnerability resides in the mainfunction.cgi web interface, specifically within the doL2TP function, which handles Layer 2 Tunneling Protocol (L2TP) related operations. An attacker with low privileges (authenticated user) can inject arbitrary commands into this CGI endpoint, which are then executed by the system shell. This is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that user input is not properly sanitized before being passed to system commands. The CVSS v3.1 score is 8.0, reflecting high severity due to the combination of low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. Exploitation could allow attackers to gain control over the router, manipulate network traffic, intercept sensitive data, or disrupt network services. Although no public exploits or patches are currently available, the vulnerability poses a significant risk to organizations relying on this device for secure network operations.

The impact of CVE-2024-51253 is substantial for organizations using Draytek Vigor3900 routers as it allows attackers to execute arbitrary commands on the device with low privileges. This can lead to complete compromise of the router, enabling attackers to intercept, modify, or redirect network traffic, potentially leading to data breaches or man-in-the-middle attacks. The integrity of network configurations can be altered, causing persistent backdoors or denial of service conditions. Given that routers serve as critical network infrastructure, exploitation could disrupt business operations, degrade service availability, and expose sensitive internal communications. The vulnerability's exploitation could also serve as a foothold for lateral movement within corporate networks, increasing the overall risk profile. The absence of patches and known exploits in the wild suggests a window of exposure that must be addressed proactively.

Organizations should immediately audit their Draytek Vigor3900 devices to confirm firmware versions and restrict access to the management interface to trusted administrators only, preferably via secure management VLANs or VPNs. Implement strict access controls and multi-factor authentication to reduce the risk of unauthorized access. Monitor network traffic and device logs for unusual activity related to the mainfunction.cgi endpoint or L2TP operations. Disable or limit L2TP functionality if not required. Employ network segmentation to isolate critical infrastructure devices. Until an official patch is released, consider deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block suspicious command injection attempts targeting the CGI interface. Engage with Draytek support for updates and apply patches promptly once available. Regularly update device firmware and maintain an incident response plan tailored to network device compromises.