CVE-2023-24229

moderate-risk

Published 2023-03-15

DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Do I need to act?

-

0.81% chance of exploitation

EPSS score — low exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

7

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (1)

Vigor2960 Firmware

Affected Vendors

Draytek

References (12)

Exploit https://github.com/sadwwcxz/Vul

https://web.archive.org/web/20230315181013/https://github.com/sadwwcxz/Vul

https://www.draytek.co.uk/support/guides/kb-remotemanagement

Not Applicable https://www.draytek.com/

https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2...

https://www.draytek.com/support/knowledge-base/5465

Exploit https://github.com/sadwwcxz/Vul

https://web.archive.org/web/20230315181013/https://github.com/sadwwcxz/Vul

https://www.draytek.co.uk/support/guides/kb-remotemanagement

Not Applicable https://www.draytek.com/

https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2...

https://www.draytek.com/support/knowledge-base/5465

32

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 3/34 · Minimal

Exposure 5/34 · Minimal