CVE-2026-3040 is a medium-severity OS command injection vulnerability found in the DrayTek Vigor 300B router, affecting firmware versions up to 1.5.1.6. The vulnerability resides in the web management interface component, specifically within the cgiGetFile function of the /cgi-bin/mainfunction.cgi/uploadlangs endpoint. An attacker with authenticated access can manipulate the File parameter to inject and execute arbitrary operating system commands on the device. This can lead to unauthorized command execution, potentially compromising the device's integrity and availability. The attack vector is remote network access to the management interface, but requires valid credentials, limiting ease of exploitation. The vendor has confirmed that the Vigor 300B is end-of-life and will not receive security patches, leaving the vulnerability unmitigated in affected devices. While no active exploitation has been reported, public exploit code is available, increasing the risk of targeted attacks. The vulnerability's CVSS 4.0 score of 5.1 reflects its medium severity, considering the need for authentication and limited impact scope. Organizations using this device should be aware that continued use exposes them to potential compromise, especially if credentials are leaked or weak. The lack of vendor support necessitates alternative mitigation approaches such as device replacement or strict network controls.

The primary impact of CVE-2026-3040 is unauthorized remote command execution on affected DrayTek Vigor 300B devices, which can lead to device compromise, disruption of network services, and potential pivoting to internal networks. Since the vulnerability requires authentication, the risk is somewhat mitigated by credential controls; however, if credentials are weak, reused, or compromised, attackers can exploit this flaw to gain control over the device. This can result in loss of device integrity, potential denial of service, or use of the device as a foothold for further attacks within an organization's network. The fact that the product is end-of-life and will not receive patches means that organizations cannot remediate the vulnerability via firmware updates, increasing long-term risk. The availability of public exploit code further raises the likelihood of exploitation attempts. Organizations relying on these devices for critical network functions may face operational disruptions and increased exposure to cyberattacks.

Given the vendor's decision not to patch this vulnerability due to end-of-life status, organizations should prioritize replacing DrayTek Vigor 300B devices with supported models that receive security updates. Until replacement is feasible, organizations should implement strict network segmentation to isolate these devices from critical infrastructure and limit access to the management interface to trusted administrators only. Enforce strong, unique authentication credentials and consider multi-factor authentication if supported. Monitor device logs and network traffic for suspicious activity indicative of exploitation attempts. Disable remote management access if not required, or restrict it via VPN or IP whitelisting. Regularly audit devices for unauthorized configuration changes. If replacement is delayed, consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. Maintain an inventory of affected devices to ensure focused mitigation efforts.