CVE-2024-51296

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 30, 2024 / Updated: 20d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In Draytek Vigor3900 version 1.5.1.3, there is a command injection vulnerability in the mainfunction.cgi file. Attackers can exploit this vulnerability by injecting malicious commands into the pingtrace function, allowing for the execution of arbitrary commands on the system.

Impact

This vulnerability has a high severity impact across confidentiality, integrity, and availability. Successful exploitation could allow attackers to execute arbitrary commands on the affected Draytek Vigor3900 systems. This could lead to unauthorized access to sensitive information, modification of system configurations, and potential disruption of services. Given the network-based attack vector and low attack complexity, this vulnerability poses a significant risk to affected systems.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the information provided, there is no mention of an available patch for this vulnerability. Organizations using Draytek Vigor3900 version 1.5.1.3 should closely monitor for any updates or patches released by Draytek to address this issue.

Mitigation

While awaiting a patch, consider the following mitigation strategies: 1. Restrict network access to the affected Draytek Vigor3900 devices, particularly the mainfunction.cgi file. 2. Implement strong network segmentation to limit potential lateral movement if a device is compromised. 3. Monitor logs and network traffic for any suspicious activities related to the pingtrace function or unexpected command executions. 4. If possible, disable or restrict access to the pingtrace function until a patch is available. 5. Keep all Draytek Vigor3900 firmware up-to-date with the latest security patches as they become available. 6. Consider using network intrusion detection/prevention systems (IDS/IPS) to detect and block potential exploitation attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51296

Oct 30, 2024 at 2:15 PM
First Article

Feedly found the first article mentioning CVE-2024-51296. See article

Oct 30, 2024 at 2:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 2:22 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 30, 2024 at 6:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 31, 2024 at 10:14 AM
Static CVE Timeline Graph

Affected Systems

Draytek/vigor3900
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI