CVE-2020-8515
CVE-2020-8515
In short
DrayTek router models allow attackers to execute malicious commands with root privileges without needing a password, by sending specially crafted requests to a web interface. This lets attackers take complete control of the device.
Technical detail
Unauthenticated remote code execution (RCE) in DrayTek Vigor devices via shell metacharacter injection in the mainfunction.cgi endpoint. The vulnerability bypasses authentication and executes arbitrary commands with root privileges; no pre-conditions beyond network access to the web interface are required.
Summary generated and translated by AI from the official description.
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 5
githubgithub.com/imjdl/CVE-2020-8515-PoC★ 14githubgithub.com/darrenmartyn/CVE-2020-8515★ 5githubgithub.com/truerandom/nmap_draytek_rce★ 2cve_referencepacketstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48268unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.htmlhttps://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8515https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/