CVE-2020-14472
published 2020-06-24CVE-2020-14472: On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1, there are some command-injection vulnerabilities in the mainfunction.cgi file.
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITW
Exploited in the wild
EPSS
2.93%
85.4th percentile
On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1, there are some command-injection vulnerabilities in the mainfunction.cgi file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor2960_firmware | < 1.5.1 | 1.5.1 |
| draytek | vigor2960_firmware | < 1.5.1.1 | 1.5.1.1 |
| draytek | vigor300b_firmware | < 1.5.1 | 1.5.1 |
| draytek | vigor300b_firmware | < 1.5.1.1 | 1.5.1.1 |
| draytek | vigor3900_firmware | < 1.5.1 | 1.5.1 |
| draytek | vigor3900_firmware | < 1.5.1.1 | 1.5.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/mainfunction.cgi
commandaction=authuser
snort
alert http any any -> any any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi formpassword Command Injection Attempt (CVE-2020-14472)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/cgi-bin/mainfunction.cgi"; fast_pattern; http.request_body; url_decode; content:"URL|3d|"; content:"HOST|3d|http"; content:"action=authuser"; content:"formusername|3d|"; content:"formpassword|3d|"; base64_decode:offset 0, relative; base64_data; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2020-14472; reference:url,github.com/Cossack9989/Vulns/blob/master/IoT/CVE-2020-14472.md; classtype:attempted-admin; sid:2058340; rev:1; metadata:created_at 2024_12_17, cve CVE_2020_14472, confidence High, signature_severity Unknown, tag Exploit, updated_at 2024_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit requests use HTTP POST method targeting /cgi-bin/mainfunction.cgi with a URI length of exactly 25 bytes.
- →Request body contains base64-encoded formpassword field; after base64 decoding, shell metacharacters (;, newline, backtick, pipe, $) are injected into the password parameter.
- →Request body also contains URL= and HOST=http parameters alongside formusername= and action=authuser, which are characteristic of this exploit's payload structure.
- →CVE-2020-14472 is an OS command injection in cgi-bin/mainfunction.cgi on DrayTek Vigor3900, Vigor2960, and Vigor300B devices before firmware 1.5.1; distinct from CVE-2020-15415 which targets cvmcfgupload. ↗
- ·The CISA KEV entry and NVD source both reference CVE-2020-15415 (cvmcfgupload / text/x-python-script vector) alongside CVE-2020-14472 (formpassword injection vector); the Snort rule targets the formpassword/authuser vector specifically attributed to CVE-2020-14472. ↗
- ·Affected devices must be running firmware versions before 1.5.1; patched devices are not vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-65hg-r7rx-55rg: On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-15415 [CRITICAL] CWE-78 GHSA-65hg-r7rx-55rg: On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.
GHSA
GHSA-f4vq-gwc5-g45p: DrayTek Vigor3900, Vigor2960, and Vigor300B with firmware before 1
ghsa_unreviewed·2022-05-24
CVE-2020-14472 [HIGH] CWE-77 GHSA-f4vq-gwc5-g45p: DrayTek Vigor3900, Vigor2960, and Vigor300B with firmware before 1
DrayTek Vigor3900, Vigor2960, and Vigor300B with firmware before 1.5.1.1 is affected by a remote code injection/execution vulnerability.
CISA
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
cisa·2024-09-30·CVSS 9.8
CVE-2020-15415 [CRITICAL] CWE-78 DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Vulnerability: DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Affected: DrayTek Multiple Vigor Routers
DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472) ; https://nvd.nist.gov/vuln/detail/CVE-2020-15415
Remediation Due Date: 2024-10-21
Suricata
ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi formpassword Command Injection Attempt (CVE-2020-14472)
suricata·2024-12-17·CVSS 9.8
CVE-2020-14472 [CRITICAL] ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi formpassword Command Injection Attempt (CVE-2020-14472)
ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi formpassword Command Injection Attempt (CVE-2020-14472)
Rule: alert http any any -> any any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi formpassword Command Injection Attempt (CVE-2020-14472)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/cgi-bin/mainfunction.cgi"; fast_pattern; http.request_body; url_decode; content:"URL|3d|"; content:"HOST|3d|http"; content:"action=authuser"; content:"formusername|3d|"; content:"formpassword|3d|"; base64_decode:offset 0, relative; base64_data; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2020-14472; reference:url,github.com/Cossack9989/Vulns/blob/master/IoT/CVE-2020-14472.md; classtype:attemp
No public exploits indexed.
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
2020-06-24
Published
Exploited in the wild