CVE-2020-15415
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
CVSS
—
No CVSS
EPSS
84.2%
p100
KEV
YES
Sep 30, 2024
Exploit Today
80
0-100
Published: — · Last modified: —
Product
DrayTek / Multiple Vigor Routers
Vulnerability
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Added to KEV
Sep 30, 2024
Remediate by
Oct 21, 2024
Known ransomware use
No
Summary description
DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.
Required action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472) ; https://nvd.nist.gov/vuln/detail/CVE-2020-15415