What happened

CISA added CVE-2024-12987 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-05-15, confirming in-the-wild exploitation of affected DrayTek routers CISA KEV. The vulnerability is an OS command injection affecting the web management interface on Vigor2960, Vigor300B, and Vigor3900 models, tied to an unknown function in the file path /cgi-bin/mainfunction.cgi/apmcfgupload CISA KEV. CISA’s entry directs organizations to apply vendor mitigations, follow relevant BOD 22-01 guidance for cloud services, or discontinue product use if mitigations are unavailable CISA KEV. The issue maps to command injection (CWE-78), consistent with arbitrary command execution risks on the underlying OS NVD entry. CISA set a remediation due date of 2025-06-05 for impacted entities, underscoring urgency given active exploitation status CISA KEV.

Why it matters

Edge routers are high-value initial-access targets because compromise enables traffic interception, covert tunneling, and persistence at the network boundary, outcomes that align with command injection on a router OS NVD entry. KEV inclusion means exploitation is confirmed—not hypothetical—so exposed management interfaces on these DrayTek models represent immediate risk if unmitigated CISA KEV. A router-level foothold can bypass endpoint controls and enable lateral movement or staging for further operations, magnifying impact beyond a single device MITRE CVE record. For organizations with distributed sites or unmanaged edge gear, remediation priority should be at the very top of the queue due to the active threat signal from KEV CISA KEV.

Technical detail

CVE-2024-12987 targets the web management interface of DrayTek Vigor2960, Vigor300B, and Vigor3900, specifically involving an unknown function within the file path /cgi-bin/mainfunction.cgi/apmcfgupload CISA KEV. The weakness is categorized under CWE-78 (OS command injection), implying that user-controlled input can be interpreted as shell commands on the router’s underlying system NVD entry. CISA’s KEV listing confirms that attackers are actually leveraging this flaw in the wild, which raises the likelihood of opportunistic scanning and widespread exploitation of exposed devices CISA KEV. Public records for this CVE do not specify authentication requirements or the full request structure; defenders should assume an HTTP interaction with the identified path is central to the exploit chain, given the CGI context and KEV description MITRE CVE record. In practical terms, successful exploitation would grant the attacker the ability to run arbitrary commands as the web service or system user, enabling payload drop, configuration tampering, or pivoting through the router NVD entry.

Defense

• Patch/mitigate immediately per vendor guidance; if mitigations are unavailable, discontinue use of affected devices per CISA’s required action and BOD 22-01 reference CISA KEV.
• Remove external exposure of the web management interface, enforce management from trusted segments only, and disable remote admin features where possible given the confirmed exploitation signal CISA KEV.
• Monitor for HTTP requests targeting the path /cgi-bin/mainfunction.cgi/apmcfgupload and investigate any access attempts or anomalies involving this endpoint on Vigor2960/300B/3900 CISA KEV.
• Hunt for indicators of post-exploitation: unexpected outbound connections from the router, suspicious scheduled tasks/scripts, and unauthorized configuration changes consistent with command execution abuse (CWE-78 context) NVD entry.
• Validate an accurate inventory of DrayTek Vigor2960, Vigor300B, and Vigor3900 units across all sites and prioritize isolation/updates on any device with an internet-exposed management interface due to active exploitation status CISA KEV.
• If compromise is suspected, rotate administrative credentials, reimage to trusted firmware, and reapply hardened configurations before restoring connectivity to untrusted networks, aligning with the risks outlined for command injection MITRE CVE record.

Lyrie Verdict

CVE-2024-12987 is an edge-device command injection being actively exploited, which demands machine-speed controls rather than ticket-queue response CISA KEV. Lyrie’s position: treat router management paths as hostile interfaces and instrument autonomous detection over three layers—ingress HTTP, device behavior, and egress network—so exploitation chains are cut in seconds, not hours NVD entry. Concretely, deploy autonomous policies that: 1) flag or block requests to /cgi-bin/mainfunction.cgi/apmcfgupload on identified Vigor models, 2) detect shell-like command execution patterns on the device, and 3) quarantine routers that initiate new unsolicited outbound sessions post-request, all tied to the KEV indicator and CWE-78 behavior MITRE CVE record. This is precisely where anti-rogue-AI defense matters—attackers will automate scanning and trigger exploitation at scale, and only autonomous, policy-backed detectors can reliably match that tempo at the network edge CISA KEV.