Vigor2960 - RCE (CVE-2024-12987)
233Exploiting IPs reported
A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.
CrowdSec analysis
CVE-2024-12987 is a vulnerability in DrayTek router management interfaces that allows for remote OS command injection via crafted inputs to a web management endpoint.
CrowdSec has been tracking this vulnerability and its exploits since 11th of June 2025.
CrowdSec network data shows that most actors exploiting CVE-2024-12987 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. CrowdSec data also reveals a clear uptick in attacks involving CVE-2024-12987 over the past week. Activity is above the usual baseline, suggesting growing attention from attackers. This may reflect rising awareness, recent exploit releases, or expanded targeting efforts.
Exploitation typically involves requests to the /cgi-bin/mainfunction.cgi/apmcfgupload URL, with the attack focusing on manipulation of session parameters.
Exploitation
Get real-time information about exploitation attempts and actors involved.
Common Weakness Enumeration (CWE)
Protection
Find out relevant information to protect your stack against this CVE.
Blocklist
With our advanced worldwide network detection, CrowdSec can provide a list of IPs known for exploiting the vulnerability.
To increase your protection against this CVE, block exploitation attempts with this list of identified actors.