CVE-2024-51255 is a critical command injection vulnerability identified in the DrayTek Vigor3900 router firmware version 1.5.1.3. The vulnerability resides in the mainfunction.cgi web interface, specifically within the ruequest_certificate function, which improperly sanitizes user input. This flaw allows unauthenticated remote attackers to inject and execute arbitrary OS commands on the underlying system. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating that the input is not correctly validated or escaped before being passed to system-level commands. The CVSS v3.1 base score of 9.8 reflects the vulnerability's high exploitability (network vector, no privileges or user interaction required) and severe impact on confidentiality, integrity, and availability. Exploitation could lead to full system compromise, enabling attackers to control the router, intercept or manipulate network traffic, and potentially pivot into internal networks. Although no known exploits are currently reported in the wild, the critical nature of the flaw and the popularity of DrayTek devices in enterprise and ISP environments make this a significant threat. The absence of a patch or mitigation details at the time of publication increases urgency for affected organizations to implement compensating controls.

The impact of CVE-2024-51255 is severe for organizations relying on DrayTek Vigor3900 routers as part of their network infrastructure. Successful exploitation results in complete compromise of the device, allowing attackers to execute arbitrary commands with root-level privileges. This can lead to interception and manipulation of sensitive network traffic, disruption of network services, and unauthorized access to internal systems. Given the router's role as a gateway device, attackers could establish persistent backdoors, launch further attacks within the network, or exfiltrate confidential data. The vulnerability threatens confidentiality by exposing sensitive information, integrity by enabling unauthorized modifications, and availability by potentially causing denial of service. Enterprises, ISPs, and critical infrastructure operators using these devices face heightened risk of operational disruption and data breaches. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation once a public exploit emerges.

1. Immediately restrict access to the DrayTek Vigor3900 management interface (mainfunction.cgi) to trusted IP addresses only, preferably via VPN or internal network segmentation. 2. Implement strict firewall rules to block unauthorized external access to the router's web management ports. 3. Monitor network traffic for unusual or suspicious HTTP requests targeting mainfunction.cgi, especially those invoking the ruequest_certificate function. 4. Disable or limit the use of the certificate request functionality if possible until a vendor patch is available. 5. Regularly check for firmware updates from DrayTek and apply patches promptly once released. 6. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics to detect command injection attempts against this endpoint. 7. Conduct internal audits of router configurations and logs to identify any signs of compromise. 8. Educate network administrators about this vulnerability and enforce strong operational security practices around device management. 9. Consider deploying additional layers of network segmentation to isolate critical assets from affected devices. 10. If immediate patching is not possible, consider temporary replacement of vulnerable devices with unaffected models or vendors.