Detections
Analytics

DrayTek Vigor 1.5.1.4 < 1.5.1.5 Command Injection

critical Nessus Plugin ID 242052

Language:

Synopsis

The remote host is missing a security update.

Description

The version of DrakTek Vigor installed on the remote host is 1.5.1.4. It is, therefore, affected by a vulnerability, which was classified as critical. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to DrakTek Vigor version 1.5.1.5 or later.

See Also

http://www.nessus.org/u?05b6ef61

http://www.nessus.org/u?95656813

http://www.nessus.org/u?ab897c45

Plugin Details

Severity: Critical

ID: 242052

File Name: draytek_vigor_cve-2024-12987.nasl

Version: 1.1

Type: remote

Family: Misc.

Published: 7/14/2025

Updated: 7/14/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-12987

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/h:draytek:vigor

Required KB Items: installed_sw/DrayTek Vigor, SNMP/port

Patch Publication Date: 12/27/2024

Vulnerability Publication Date: 12/27/2024

CISA Known Exploited Vulnerability Due Dates: 6/5/2025

Reference Information

CVE: CVE-2024-12987