CVE-2020-15415

CVSS 9.8 CRITICALEPSS 84.6%● KEVCWE-78

Vexday Risk Score

95Fix now

SSVC decision (CISA)

Act

Exploitation + impact → act immediately

CVSS 9.8EPSS 84.6%KEV simPoC —Nuclei simMetasploit —Patch —

Lifecycle

30 Jun 2020Published on NVD

30 Sep 2024Active exploitation (CISA KEV)

Recommendation: Patch as soon as possible — active exploitation confirmed.

In short

A vulnerability in DrayTek routers allows attackers to run arbitrary commands on the device by uploading a file with a specially crafted filename containing shell commands. This bypasses security controls and gives attackers complete control over the router.

Technical detail

CWE-78 OS Command Injection in cgi-bin/mainfunction.cgi/cvmcfgupload endpoint allows unauthenticated remote command execution when text/x-python-script content type is used with shell metacharacters in the filename parameter. No authentication required; successful exploitation results in arbitrary code execution with device privileges.

Summary generated and translated by AI from the official description.

On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/CLP-team/Vigor-Commond-Injection https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-15415 https://www.draytek.com/about/security-advisory