CVE-2024-12987 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2024-12-27

Added to CISA KEV: 2025-05-15 139 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update to firmware version 1.5.1.5 or later
If patching cannot be done immediately, restrict access to the web management interface to trusted networks only
Monitor network logs for suspicious requests to /cgi-bin/mainfunction.cgi/apmcfgupload endpoint
Implement network segmentation to isolate management interfaces from internet access
Review authentication logs for unauthorized access attempts

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2024-12987 is a critical OS Command Injection vulnerability affecting specific DrayTek Vigor router models ^[1] ^[5].

Vulnerability Overview

Affected Products: DrayTek Vigor2960, Vigor300B, and Vigor3900 routers running firmware version 1.5.1.4 ^[2] ^[5].
Impact: Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary OS commands on the device, effectively leading to full device takeover ^[1] ^[3].

Attack Details

Method: The vulnerability exists within the web management interface (specifically involving a function in `/cgi-bin/`) ^[2]?id=CVE-2024-12987?kagi_q=CVE-2024-12987.
Requirements: It is a remote attack that does not require authentication or user interaction ^[3]. An attacker only needs to send a specially crafted web request to the target device ^[1].

Exploitation and Availability

Exploit Availability: Public proof-of-concept (PoC) code is available for this vulnerability ^[1] ^[6]. Additionally, security scanning templates (e.g., for the Nuclei engine) have been created to detect the flaw ^[4].
Threat Actor Usage: While the vulnerability is critical and has public exploits, there is no specific, widely reported information linking it to major ransomware campaigns or specific advanced persistent threat (APT) groups in the provided data. However, given the nature of the vulnerability (remote, unauthenticated command execution on network edge devices), it is a high-value target for opportunistic attackers.

Mitigation

Status: The vulnerability has been addressed. Users are advised to upgrade their device firmware to version 1.5.1.5 or later to patch the issue ^[1] ^[7].

Sources

NVD - CVE-2024-12987
A critical vulnerability in DrayTek Vigor2960 and Vigor300B 1.5.1.4 allows remote attackers to execute arbitrary commands via the web management interface. The exploit is public and the affected component can be upgraded to 1.5.1.5 to fix the issue. ... Vulnerability Change Records for CVE-2024-1298…
CVE-2024-12987 Detail - NVD
CVE-2024-12987 Detail. Description. A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an ...
nuclei-templates/http/cves/2024/CVE-2024-12987.yaml at main ... - GitHub
Community curated list of templates for the nuclei engine to find security vulnerabilities. - projectdiscovery/nuclei-templates…
CVE-2024-12987 - Critical OS Command Injection in DrayTek Vigor296 and ...
In early 2024, a dangerous vulnerability was found in two popular DrayTek routers (Vigor296 and Vigor300B). Identified as CVE-2024-12987, this flaw can let attackers take over the device by simply sending a crafted web request—no authentication required. If you use these devices, you must act fast.
DrayTek Vigor - OS Command Injection Vulnerability
CVE-2024-12987 is a critical OS Command Injection vulnerability in DrayTek Vigor2960, Vigor300B, and Vigor3900 routers running firmware v1.5.1.4.
POCS/CVE-2024-12987 at master · killvxk/POCS
May the POC be with you. Contribute to killvxk/POCS development by creating an account on GitHub.
CVE-2024-12987 - GitHub Advisory Database
A critical vulnerability in the web management interface of DrayTek Vigor2960 and Vigor300B 1.5.1.4 allows remote attackers to execute os commands. The exploit is public and the patch is 1.5.1.5.

🔴 CVE-2024-12987