CVE-2024-12987 DrayTek CVE debrief

Who should care

Network and security teams responsible for DrayTek Vigor Routers, especially environments that rely on these devices for perimeter or remote access functions.

Technical summary

The public record identifies the issue as an OS command injection vulnerability in DrayTek Vigor Routers. The CISA KEV entry does not provide exploit mechanics, but its inclusion indicates known exploitation. CISA’s required action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Defensive priority

High. KEV inclusion means this vulnerability has been observed in active exploitation, so remediation should be expedited using vendor guidance and asset-focused verification.

Recommended defensive actions

• Identify all DrayTek Vigor Routers in scope and confirm current firmware and exposure.
• Apply the vendor mitigations referenced by CISA as soon as possible.
• If mitigations are unavailable or cannot be applied, plan to discontinue use of the affected product.
• Follow CISA BOD 22-01 guidance where applicable for cloud services and managed environments.
• Validate that any remediation steps are completed before the KEV due date of 2025-06-05.

Evidence notes

The source corpus identifies CVE-2024-12987 as a DrayTek Vigor Routers OS command injection vulnerability and shows it was added to CISA KEV on 2025-05-15 with a due date of 2025-06-05. The KEV metadata points to vendor release-note PDFs for DrayTek Vigor2960, Vigor300B, and Vigor3900 firmware v1.5.1.5, but the corpus does not provide their contents here. No CVSS score was supplied in the source corpus.

Official resources