vulnerability

DrayTek Vigor Router: CVE-2024-12987: OS Command Injection

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Dec 27, 2024	Jun 10, 2025	Jun 11, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Dec 27, 2024

Added

Jun 10, 2025

Modified

Jun 11, 2025

Description

A vulnerability found in DrayTek Vigor2960 and Vigor300B 1.5.1.4, is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. It is recommended to upgrade the affected component.

Solution

draytek-vigor-router-upgrade-latest

References

CVE-2024-12987
https://attackerkb.com/topics/CVE-2024-12987
https://nvd.nist.gov/vuln/detail/CVE-2024-12987
https://fw.draytek.com.tw/Vigor300B/Firmware/v1.5.1.5/DrayTek_Vigor300B_V1.5.1.5_01release-note.pdf
https://fw.draytek.com.tw/Vigor2960/Firmware/v1.5.1.5/DrayTek_Vigor2960_V1.5.1.5_01release-note.pdf

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report