CVE-2020-15415 - DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Project:DrayTek
Product:Multiple Vigor Routers
Date Added:2024-09-30Due Date:2024-10-21
Vulnerability Name
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Description
DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472)
https://nvd.nist.gov/vuln/detail/CVE-2020-15415
