CVE-2024-51300

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Oct 30, 2024 / Updated: 20d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

In Draytek Vigor3900 version 1.5.1.3, there is a command injection vulnerability in the mainfunction.cgi file. Attackers can exploit this by calling the get_rrd function, which allows them to inject and execute arbitrary commands.

Impact

This vulnerability has a high severity with a CVSS v3.1 base score of 8.8. It allows attackers to execute arbitrary commands on the affected system, potentially leading to complete system compromise. The impact on confidentiality, integrity, and availability is high. Attackers can potentially access sensitive information, modify system configurations, and disrupt normal operations of the Draytek Vigor3900 device.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

As of the current information provided, there is no mention of an available patch for this vulnerability. The security team should monitor Draytek's official channels for any security updates or patches related to this issue.

Mitigation

Until a patch is available, consider the following mitigation strategies: 1. Restrict network access to the affected Draytek Vigor3900 devices, especially the mainfunction.cgi file. 2. Implement strong network segmentation to isolate affected devices. 3. Monitor for any suspicious activities or unauthorized access attempts on these devices. 4. If possible, disable or restrict access to the get_rrd function if it's not critical for operations. 5. Regularly review and audit system logs for any signs of exploitation attempts. 6. Consider upgrading to a newer version of the firmware if available, as the vulnerability is specific to version 1.5.1.3.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-51300

Oct 30, 2024 at 2:15 PM
First Article

Feedly found the first article mentioning CVE-2024-51300. See article

Oct 30, 2024 at 2:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 30, 2024 at 2:22 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Oct 30, 2024 at 6:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.9%)

Oct 31, 2024 at 10:14 AM
Static CVE Timeline Graph

Affected Systems

Draytek/vigor3900_firmware
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI