OS Command Injection in DrayTek Vigor2960/Vigor300B Web Management Interface

Successful exploitation can result in remote arbitrary command execution on the affected router, which can lead to full device compromise. An attacker may be able to alter configuration, disrupt routing or security functions, deploy malware or botnet payloads, establish persistence, pivot into adjacent networks, and use the device for follow-on activity such as DDoS operations or further intrusion. The vulnerability has also been reported as actively exploited and included in CISA's KEV catalog.

If immediate patching is not possible, restrict access to the Web Management Interface to trusted administrative networks only, disable public Internet exposure of the management interface, and require access through a VPN or other controlled management path. Place the device behind filtering controls that limit access to the CGI management endpoints, enforce strong authentication for administrative access, and monitor management and network logs for suspicious requests to /cgi-bin/mainfunction.cgi/apmcfgupload, unexpected command execution, configuration changes, outbound callbacks, or anomalous DoH/DDoS-related traffic.

Upgrade affected DrayTek Vigor2960 and Vigor300B devices from firmware 1.5.1.4 to firmware version 1.5.1.5 or later, as vendor reporting indicates version 1.5.1.5 addresses the issue. After upgrading, verify the installed firmware version and confirm normal device functionality. Review device configuration and logs for signs of prior compromise, especially if the management interface was exposed to untrusted networks.