CVE-2024-51258 is a command injection vulnerability identified in the DrayTek Vigor3900 router firmware version 1.5.1.3. The vulnerability exists in the mainfunction.cgi web interface, specifically within the doSSLTunnel function, which fails to properly sanitize user-supplied input. This allows an attacker with low-level privileges (PR:L) to inject and execute arbitrary system commands remotely over the network without requiring user interaction (UI:N). The vulnerability is classified under CWE-77, indicating improper neutralization of special elements in OS commands. The CVSS v3.1 base score is 8.8, reflecting a high severity due to network attack vector (AV:N), low attack complexity (AC:L), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the flaw could enable attackers to take full control of the affected device, potentially leading to network disruption, data exfiltration, or pivoting to internal networks. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate risk mitigation.

The impact of CVE-2024-51258 is significant for organizations deploying DrayTek Vigor3900 routers. Successful exploitation allows attackers to execute arbitrary commands with the privileges of the web interface process, potentially escalating to full device compromise. This can lead to unauthorized access to sensitive network traffic, disruption of network services, and use of the compromised device as a foothold for further attacks within the internal network. The vulnerability affects confidentiality by exposing sensitive configuration and data, integrity by allowing malicious modifications, and availability by enabling denial-of-service conditions. Given the router’s role in enterprise and ISP networks, exploitation could have cascading effects on business operations and customer trust. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency for remediation.

Organizations should immediately audit their network to identify any DrayTek Vigor3900 devices running firmware version 1.5.1.3. Until an official patch is released, apply the following mitigations: restrict access to the router’s management interface by implementing network segmentation and firewall rules that limit access to trusted IP addresses; disable remote management features if not required; monitor network traffic for unusual activity targeting mainfunction.cgi or the doSSLTunnel function; employ intrusion detection/prevention systems (IDS/IPS) with signatures for command injection attempts; enforce strong authentication and change default credentials to reduce privilege escalation risk; and maintain up-to-date backups of device configurations to enable rapid recovery. Once a vendor patch is available, prioritize immediate deployment. Additionally, consider isolating vulnerable devices from critical network segments to minimize potential damage.