CVE-2024-51259

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 31, 2024 / Updated: 19d ago

010
CVSS 9.8EPSS 0.04%Critical
CVE info copied to clipboard

Summary

DrayTek Vigor3900 version 1.5.1.3 contains a vulnerability that allows attackers to inject malicious commands into the mainfunction.cgi file and execute arbitrary commands by calling the setup_cacertificate function. This is a command injection vulnerability, classified as CWE-77 (Improper Neutralization of Special Elements used in a Command).

Impact

The impact of this vulnerability is severe. Attackers can execute arbitrary commands on the affected system, potentially leading to complete system compromise. This could result in unauthorized access to sensitive information, modification of system configurations, installation of malware, or use of the compromised system as a pivot point for further attacks on the network. The confidentiality, integrity, and availability of the system are all at high risk.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information provided, there is no mention of an available patch for this vulnerability. Users of DrayTek Vigor3900 version 1.5.1.3 should monitor DrayTek's official channels for security updates and patch releases.

Mitigation

While waiting for an official patch, consider the following mitigation strategies: 1. Restrict network access to the affected DrayTek Vigor3900 devices, allowing only trusted IP addresses to connect. 2. Monitor logs for any suspicious activities or unauthorized access attempts. 3. If possible, disable or restrict access to the setup_cacertificate function. 4. Implement network segmentation to isolate affected devices from critical network assets. 5. Regularly back up configurations and data to ensure quick recovery in case of compromise. 6. Consider using a Web Application Firewall (WAF) to filter malicious inputs if applicable. 7. Stay informed about any updates or advisories from DrayTek regarding this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51259

Oct 31, 2024 at 2:15 PM
First Article

Feedly found the first article mentioning CVE-2024-51259. See article

Oct 31, 2024 at 2:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 31, 2024 at 2:24 PM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 31, 2024 at 7:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Nov 1, 2024 at 9:55 AM
Static CVE Timeline Graph

Affected Systems

Draytek/vigor3900
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

News

CVE Alert: CVE-2024-51259
Everyone that supports the site helps enable new functionality. CVSS v3 Score: 9.8 (Critical)
NA - CVE-2024-51259 - DrayTek Vigor3900 1.5.1.3 allows attackers to...
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.
CVE-2024-51259
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate...
CVE-2024-51259 - DrayTek Vigor3900 Code Injection Vulnerability
CVE ID : CVE-2024-51259 Published : Oct. 31, 2024, 2:15 p.m. 16 minutes ago Description : DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. Severity: 0.0 NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-51259 | DrayTek Vigor 3900 1.5.1.3 mainfunction.cgi setup_cacertificate command injection
A vulnerability, which was classified as critical , has been found in DrayTek Vigor 3900 1.5.1.3 . Affected by this issue is the function setup_cacertificate of the file mainfunction.cgi . The manipulation leads to command injection. This vulnerability is handled as CVE-2024-51259 . Access to the local network is required for this attack. There is no exploit available.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI