PT-2024-34575 · Draytek · Draytek Vigor3900

Published

2024-11-04

Updated

2024-11-04

CVE-2024-51251

CVSS v3.1

8.0

High

Vector

AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Draytek Vigor3900 version 1.5.1.3

Description The issue allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the backup function. This enables attackers to potentially gain unauthorized access and control over the system.

Recommendations For Draytek Vigor3900 version 1.5.1.3, consider disabling access to the mainfunction.cgi until a patch is available to prevent command injection attacks. Restrict the use of the backup function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2024-51251

Affected Products

Draytek Vigor3900

PT-2024-34575 · Draytek · Draytek Vigor3900

CVE-2024-51251

Weakness Enumeration

Related Identifiers

Affected Products

References · 6