CVE-2026-3040 identifies a medium-severity OS command injection vulnerability in the DrayTek Vigor 300B router, affecting firmware versions up to 1.5.1.6. The vulnerability resides in the web management interface's cgiGetFile function within the /cgi-bin/mainfunction.cgi/uploadlangs endpoint. An attacker with valid authentication credentials can manipulate the File parameter to inject and execute arbitrary operating system commands remotely. This vulnerability does not require user interaction but does require authenticated access, limiting the attack surface to insiders or attackers who have obtained credentials. The vendor has declared the product end-of-life (EoL) and has no plans to issue patches or fixes. Publicly available exploits exist, increasing the risk of exploitation in environments where these devices remain in use. The vulnerability impacts confidentiality, integrity, and availability by enabling command execution, potentially leading to full device compromise. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) reflects network attack vector, low attack complexity, no user interaction, and partial impacts on confidentiality, integrity, and availability. Due to the lack of vendor support and patch availability, affected organizations must rely on compensating controls or device replacement. This vulnerability is particularly relevant for organizations still operating legacy DrayTek Vigor 300B devices, especially in critical network segments.

The vulnerability allows authenticated attackers to execute arbitrary OS commands on affected DrayTek Vigor 300B devices, potentially leading to full device compromise. This can result in unauthorized access to network traffic, manipulation or disruption of network services, and pivoting to other internal systems. Since the device is a network router, compromise could impact network availability and integrity, enabling attackers to intercept, modify, or block communications. The lack of vendor patches increases the risk of long-term exposure for organizations continuing to use these devices. Exploitation could facilitate espionage, data exfiltration, or denial of service attacks. Organizations relying on these routers in critical infrastructure, enterprise networks, or sensitive environments face heightened operational and security risks. The requirement for authentication reduces the likelihood of remote mass exploitation but does not eliminate insider threats or credential theft scenarios.

Given the absence of vendor patches, organizations should prioritize immediate replacement of DrayTek Vigor 300B devices with supported models. If replacement is not immediately feasible, implement strict network segmentation to isolate affected devices from untrusted networks and limit administrative access to trusted personnel only. Enforce strong authentication mechanisms, including complex passwords and multi-factor authentication where possible, to reduce the risk of credential compromise. Monitor device logs and network traffic for unusual activity indicative of exploitation attempts. Disable or restrict access to the vulnerable web management interface, preferably limiting it to secure management VLANs or out-of-band management networks. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting known exploit patterns for this vulnerability. Regularly audit and update network device inventories to identify and remediate legacy equipment. Educate administrators about the risks and signs of compromise related to this vulnerability. Consider deploying network access control (NAC) solutions to enforce device compliance policies.