Fixed Intel

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild and listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation Deadline: Oct 21, 2024

CVE-2020-15415

High
EPSS 93.0%CISA KEV
DrayTek/Multiple Vigor Routers

Description

DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.

EPSS — Exploit Probability

93.0%

Higher than 99.8% of all CVEs

Required Action

https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472) ; https://nvd.nist.gov/vuln/detail/CVE-2020-15415

Risk Assessment

HIGH
In CISA KEV
High EPSS

Details

Severity
High
EPSS
93.0%
CISA KEV
Yes
Ransomware
Unknown
Articles
0

Timeline

Published

Sep 30, 2024

Added to KEV

Sep 30, 2024

Remediation Due

Oct 21, 2024

Affected Product

DrayTek

Multiple Vigor Routers

View all DrayTek CVEs

External Links

NVD (NIST)CVE DetailsMITRE CVE