logo

CVE-2020-15415 - DrayTek Multiple Vigor Routers OS Command Injection Vulnerability

CVE-2020-15415

DrayTek | Multiple Vigor Routers

  • Date Added:
  • 2024-09-30
  • Due Date:
  • 2024-10-21
Vulnerability Name

DrayTek Multiple Vigor Routers OS Command Injection Vulnerability

Description

DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472) ; https://nvd.nist.gov/vuln/detail/CVE-2020-15415

Free security scan for your website