What is CVE-2024-12987?
CVE-2024-12987 is a critical OS Command Injection vulnerability in DrayTek Vigor2960, Vigor300B, and Vigor3900 routers running firmware v1.5.1.4. The flaw resides in the Web Management Interface, specifically in the /cgi-bin/mainfunction.cgi/apmcfgupload handler. Because the session parameter is not properly sanitized, an unauthenticated attacker can inject arbitrary system commands that the device executes with root privileges.
When was the vulnerability discovered?
The vulnerability was published to NVD on December 27, 2024. DrayTek published three release notes addressing the security issue and fix for the affected routers. A PoC for an exploit was made available publicly shortly after disclosure. Armis Centrix™ for Early Warning added AI intelligence that collected and analyzed the context of the threat actor conversations regarding this vulnerability to the early warning list on January 7, 2025, immediately protecting our customers from this threat. In contrast, CISA added CVE-2024-12987 to their KEV catalog on May 15, 2025, making Armis Centrix™ for Early Warning 128 days earlier.
Significance of CVE-2024-12987:
Vulnerable component: The issue is in the implementation of input sanitization in an unknown function inside /cgi-bin/mainfunction.cgi/apmcfgupload. This functionality fails to sanitize the session argument, allowing direct shell-level command execution.
Exploitation scenario: Attackers can exploit this vulnerability by sending a crafted payload to the exposed Web GUI of affected DrayTek routers. PoC has been released by a researcher on their notion blog post and DrayTek routers have been observed in botnet campaigns in the wild.
Impact and blast radius: As the attacker is able to execute OS system command, exploitation can result in full host system take over and lateral movement on the victim’s subnet.
Value of Timely Awareness: Fast detection and proactive action are essential in reducing the risks associated with such vulnerability. Due to the severity of the vulnerability and nature of the impacted product, the attacker could quickly map the victim’s infrastructure and perform further exploitation. Updating the firmware to the latest patched version and monitoring the system for suspicious activity such as outbound connections is crucial.
Mitigation and Protection:
Proactive defense and workarounds: It is critical to update your affected DrayTek Vigor routers to version 1.5.1.5 or later. This version contains a patch to correct the vulnerable implementation of input sanitization.
Continuous monitoring and updates: Security teams should monitor vendor advisories and apply security patches as soon as they become available, monitor SIEM for suspicious requests in the context of the technical details reported above, as well as in the official advisory, and regularly assess existing security controls. They should also run automated security scans against exposed ports. By implementing these strong security practices, organizations can effectively mitigate the risks posed by CVE-2024-12987 and safeguard their DrayTek routers from exploitation.
Stay vigilant and ensure your systems are up-to-date to defend against evolving cybersecurity threats.
Armis Centrix™ for Early Warning is the proactive cybersecurity solution designed to empower organizations with early warning intelligence to anticipate and mitigate cyber risk effectively. Looking for real-time context, prioritization, and actionable insights tailored to your specific industry and threat levels? Make sure to check out our Armis Vulnerability Intelligence Database.