CVE-2024-12987

HIGH KEV NUCLEI

Draytek Vigor300b Firmware - Command Injection

Title source: rule

Description

A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Nuclei Templates (1)

DrayTek Vigor - Command Injection
CRITICALby ritikchaddha
FOFA: "excanvas.js" && "lang == \"zh-cn\"" && "detectLang" && server=="DWS"

References (8)

Scores

CVSS v3 7.3
EPSS 0.7899
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Details

CISA KEV 2025-05-15
VulnCheck KEV 2025-02-12
ENISA EUVD EUVD-2024-51246
CWE
CWE-78 CWE-77
Status published
Products (2)
draytek/vigor2960_firmware 1.5.1.4
draytek/vigor300b_firmware 1.5.1.4
Published Dec 27, 2024
KEV Added May 15, 2025
Tracked Since Feb 18, 2026