CVE-2024-12987

What are DrayTek Vigor Routers?

DrayTek Vigor routers are enterprise and SMB networking devices providing VPN gateway, firewall, load balancing, and WAN failover capabilities. The Vigor2960, Vigor300B, and Vigor3900 are multi-WAN router/load balancer models commonly deployed as internet gateways and VPN concentrators in small to medium businesses, branch offices, and remote sites. Because they sit at the network perimeter and manage all inbound/outbound traffic, a compromised Vigor router gives an attacker full visibility into network traffic and a persistent foothold in the network.

Overview

CVE-2024-12987 is an OS command injection vulnerability in the web management interface of DrayTek Vigor2960, Vigor300B, and Vigor3900 routers. Specifically, the /cgi-bin/mainfunction.cgi/apmcfgupload endpoint passes user-supplied input to a system command without adequate sanitization, enabling unauthenticated remote code execution. DrayTek released firmware 1.5.1.5 for all three models in late December 2024. CISA added the vulnerability to the KEV catalog in May 2025 following confirmed in-the-wild exploitation.

Affected Versions

Technical Details

CWE-77 (Improper Neutralization of Special Elements used in a Command / Command Injection). The /cgi-bin/mainfunction.cgi/apmcfgupload endpoint in the Vigor web management interface is accessible without authentication and processes file upload parameters that are passed directly to an OS command. An attacker can craft a malicious HTTP request that injects shell commands into this parameter, executing arbitrary code with the privileges of the web server process — typically root on embedded routers of this class.

The attack requires no authentication, no user interaction, and no unusual network conditions. Any attacker who can reach the router's management interface (default port 443 or 8069 for remote access) can exploit this vulnerability in a single HTTP request.

Discovery

Reported to DrayTek, which released patched firmware 1.5.1.5 for all three affected models in December 2024. The CISA KEV addition in May 2025 indicates a five-month gap between patch availability and confirmed active exploitation.

Exploitation Context

Network perimeter devices — routers, firewalls, VPN concentrators — are a consistent target for sophisticated threat actors, including nation-state APTs seeking persistent access to enterprise networks. DrayTek Vigor routers have been targeted in previous campaigns by China-nexus groups (including campaigns documented by UK's NCSC and CISA), and the pattern of delayed KEV addition after patch release suggests exploitation began as unpatched devices were identified by scanning. Internet-exposed router management interfaces are routinely scanned and cataloged by tools like Shodan; devices running vulnerable firmware versions are straightforward to identify at scale.

Remediation

1. Upgrade all DrayTek Vigor2960, Vigor300B, and Vigor3900 devices to firmware 1.5.1.5 or later.
2. Disable remote management (WAN-side access to the management interface) if not required. If remote management is needed, restrict it to specific trusted IP addresses.
3. Change all router admin credentials from defaults to strong, unique passwords.
4. Review router syslog and management access logs for unexpected configuration changes, new admin accounts, or unfamiliar IP addresses that may indicate pre-patch compromise.
5. If remote management was internet-exposed during the vulnerability window, treat the device as potentially compromised and perform a factory reset before applying the patched firmware.