DrayTek Vigor 2960 Web Management Interface mainfunction.cgi command injection
CVE-2023-1162

8.8HIGH

Key Information:

Vendor

DrayTek
Status
Vigor 2960
Vendor
CVE Published:
3 March 2023

What is CVE-2023-1162?

A command injection vulnerability exists in the Web Management Interface of DrayTek Vigor 2960, specifically in the mainfunction.cgi file. This flaw arises from improper handling of the password argument, allowing remote attackers to execute arbitrary commands on the affected device. The vulnerability poses a significant risk, particularly for products that are no longer supported by their vendor, as they may not receive necessary security updates or patches. Organizations using the DrayTek Vigor 2960 should take immediate action to assess their exposure and implement mitigations against this exploit.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Vigor 2960 1.5.1.4

Vigor 2960 1.5.1.5

References

https://vuldb.com/?id.222258
vdb-entrytechnical-description
https://vuldb.com/?ctiid.222258
signaturepermissions-required
https://github.com/xxy1126/Vuln/blob/main/Draytek/2.md
exploit

EPSS Score

41% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Tmotfl (VulDB User)
JSON
.