CVE-2024-12986

Name of the Vulnerable Software and Affected Versions DrayTek Vigor2960 and Vigor300B versions 1.5.1.3 through 1.5.1.4

Description A critical issue has been found in the Web Management Interface component, affecting some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim. The manipulation of the session argument leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Recommendations For DrayTek Vigor2960 and Vigor300B versions 1.5.1.3 through 1.5.1.4, upgrade to version 1.5.1.5 to address this issue. As a temporary workaround, consider restricting access to the vulnerable Web Management Interface component until the update is applied. Avoid using the session argument in the affected API endpoint until the issue is resolved.