CVE-2024-48074

Name of the Vulnerable Software and Affected Versions DrayTek Vigor2960 version 1.4.4

Description An authorized remote code execution vulnerability exists due to the lack of neutralization of special elements used in the operating system command. This allows an attacker to execute arbitrary code by injecting a specially crafted command into the table parameter of the doPPPoE function in the "cgi-bin/mainfunction.cgi" route, which is then executed by the system function. Over 52,000 results have been found on a search engine, indicating a potentially large number of affected devices.

Recommendations For DrayTek Vigor2960 version 1.4.4, as a temporary workaround, consider disabling the doPPPoE function in the "cgi-bin/mainfunction.cgi" route until a patch is available. Restrict access to the cgi-bin/mainfunction.cgi route to minimize the risk of exploitation. Avoid using the table parameter in the affected route until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.