DrayTek Vigor 2960 Web Management Interface mainfunction.cgi command injection
CVE-2023-1162

8.8HIGH

Key Information:

Vendor: DrayTek
Status: Vigor 2960
Vendor: CVE Published:; 3 March 2023

What is CVE-2023-1162?

A command injection vulnerability exists in the Web Management Interface of DrayTek Vigor 2960, specifically in the mainfunction.cgi file. This flaw arises from improper handling of the password argument, allowing remote attackers to execute arbitrary commands on the affected device. The vulnerability poses a significant risk, particularly for products that are no longer supported by their vendor, as they may not receive necessary security updates or patches. Organizations using the DrayTek Vigor 2960 should take immediate action to assess their exposure and implement mitigations against this exploit.

Affected Version(s)

Vigor 2960 1.5.1.4

Vigor 2960 1.5.1.5

References

https://vuldb.com/?id.222258

vdb-entrytechnical-description

https://vuldb.com/?ctiid.222258

signaturepermissions-required

https://github.com/xxy1126/Vuln/blob/main/Draytek/2.md

exploit

EPSS Score

35% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2023
Vulnerability Reserved
Mar 3, 2023

Credit

Tmotfl (VulDB User)