CVE-2021-20124
CVE-2021-20124
In short
A security flaw in Draytek VigorConnect allows attackers to download any file from the system without logging in, potentially exposing sensitive data like passwords and configuration files.
Technical detail
A path traversal vulnerability (CWE-22) in the WebServlet file download endpoint permits unauthenticated arbitrary file retrieval with root-level privileges. Attack requires only HTTP request manipulation; no authentication or special conditions needed. Impact includes unauthorized access to sensitive system files.
Summary generated and translated by AI from the official description.
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · Draytek VigorConnectWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →