OS Command Injection Vulnerability in DrayTek Vigor 2960
CVE-2022-50994

9.2CRITICAL

Key Information:

Vendor

Draytek
Status
Vigor 2960
Vendor
CVE Published:
8 May 2026

What is CVE-2022-50994?

The DrayTek Vigor 2960 firmware prior to version 1.5.1.4 is susceptible to an OS command injection vulnerability within its CGI login handler. This flaw permits unauthenticated remote attackers to execute arbitrary commands on the affected system. By injecting shell metacharacters into the formpassword parameter, attackers can exploit unsanitized input directed to the otp_check.sh script, gaining remote code execution capabilities with web server privileges. To successfully exploit this vulnerability, the attacker must possess a valid username and ensure that the target account has Multi-Option Authentication (MOTP) enabled.

Affected Version(s)

Vigor 2960 0

References

https://www.draytek.co.uk/support/downloads/vigor-2960/ol...
release-notespatch
https://www.draytek.com/about/newsroom/2021/2021/end-of-l...
vendor-advisory
https://www.vulncheck.com/advisories/draytek-vigor-2960-o...
third-party-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.