CVE-2024-12986

HIGH

DrayTek Vigor2960 and Vigor300B 1.5.1.3-1.5.1.4 - OS Command Injection via apmcfgupptim Session Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-12986. PoCs published by Aether-0.

AI-analyzed exploit summary This repository contains a functional exploit and scanner for CVE-2024-12986, a command injection vulnerability in the `apmcfgupptim` endpoint of DrayTek Gateway Devices. The exploit (`exploit.py`) provides an interactive shell for executing arbitrary commands, while the scanner (`scan.sh`) checks for vulnerable endpoints.

Description

A vulnerability, which was classified as critical, has been found in DrayTek Vigor2960 and Vigor300B 1.5.1.3/1.5.1.4. This issue affects some unknown processing of the file /cgi-bin/mainfunction.cgi/apmcfgupptim of the component Web Management Interface. The manipulation of the argument session leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Exploits (1)

nomisec WORKING POC 1 stars

by Aether-0 · poc

https://github.com/Aether-0/CVE-2024-12986

View Code ZIP pw:eip

This repository contains a functional exploit and scanner for CVE-2024-12986, a command injection vulnerability in the `apmcfgupptim` endpoint of DrayTek Gateway Devices. The exploit (`exploit.py`) provides an interactive shell for executing arbitrary commands, while the scanner (`scan.sh`) checks for vulnerable endpoints.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: DrayTek Gateway Devices (specific versions not specified)

No auth needed

Prerequisites: Network access to the target device · Python 3 and PySocks library for exploit.py · Bash and Netcat for scan.sh

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.289379

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.289379

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.468794

Exploit, Third Party Advisory exploit

https://netsecfish.notion.site/Command-Injection-in-apmcfgupptim-endpoint-for-DrayTek-Gateway-Devices-1676b683e67c80b9ad8cc37b93273bf6?pvs=4

Scores

CVSS v3 7.3

EPSS 0.7063

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-78 CWE-77

Status published

Products (2)

draytek/vigor2960_firmware 1.5.1.3 - 1.5.1.5

draytek/vigor300b_firmware 1.5.1.3 - 1.5.1.5

Published Dec 27, 2024

Tracked Since Feb 18, 2026