CVE-2024-51304 is a command injection vulnerability identified in the Draytek Vigor3900 router firmware version 1.5.1.3. The vulnerability resides in the mainfunction.cgi web interface, specifically within the ldap_search_dn function, which fails to properly sanitize user input. This allows an attacker with at least limited privileges (PR:L) to inject arbitrary commands that the system executes with the privileges of the web server process. The vulnerability does not require user interaction (UI:N) and can be exploited remotely over the network (AV:N) with low attack complexity (AC:L). The scope of impact is unchanged (S:U), but the consequences are severe, affecting confidentiality, integrity, and availability (C:H/I:H/A:H). The underlying weakness corresponds to CWE-77, which involves improper neutralization of special elements used in a command (command injection). Although no public exploits are currently known, the high CVSS score of 8.8 reflects the critical nature of this flaw. The absence of a patch at the time of publication increases the urgency for organizations to implement compensating controls. This vulnerability could allow attackers to take full control of affected routers, potentially leading to network compromise, data exfiltration, or denial of service.

The exploitation of CVE-2024-51304 can have severe consequences for organizations worldwide. Attackers gaining arbitrary command execution on Draytek Vigor3900 routers can manipulate network traffic, intercept or alter sensitive data, disrupt network availability, and establish persistent footholds within corporate networks. Given that routers are critical infrastructure components, compromise can cascade to other connected systems, amplifying the damage. Confidentiality is at high risk as attackers could extract sensitive configuration or user data. Integrity is compromised by the ability to alter device settings or inject malicious payloads. Availability can be disrupted through denial-of-service conditions or device instability caused by malicious commands. The vulnerability’s remote exploitability and lack of required user interaction make it a potent vector for automated attacks or targeted intrusions. Organizations relying on Draytek Vigor3900 devices for perimeter security or VPN services are particularly vulnerable, potentially exposing internal networks to external threats.

To mitigate CVE-2024-51304, organizations should immediately restrict access to the management interfaces of Draytek Vigor3900 routers, limiting it to trusted IP addresses and using VPNs or secure management channels. Network segmentation should be enforced to isolate critical infrastructure from general user networks. Monitoring and logging of router management traffic should be enhanced to detect anomalous command injection attempts or unusual activity patterns. Until an official patch is released, consider disabling or restricting the use of the mainfunction.cgi interface if feasible. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of identifying command injection attempts targeting this vulnerability. Regularly update firmware and subscribe to vendor advisories to apply patches promptly once available. Additionally, conduct security audits and penetration tests focusing on router configurations and web management interfaces to identify and remediate similar weaknesses.