vulnerability
DrayTek Vigor Router: CVE-2024-12987: OS Command Injection
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Dec 27, 2024 | Jun 10, 2025 | Jun 11, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Dec 27, 2024
Added
Jun 10, 2025
Modified
Jun 11, 2025
Description
A vulnerability found in DrayTek Vigor2960 and Vigor300B 1.5.1.4, is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. It is recommended to upgrade the affected component.
Solution
draytek-vigor-router-upgrade-latest
References
- CVE-2024-12987
- https://attackerkb.com/topics/CVE-2024-12987
- URL-https://nvd.nist.gov/vuln/detail/CVE-2024-12987
- URL-https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf
- URL-https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.