cbcvebase.
CVE-2020-14472
published 2020-06-24

CVE-2020-14472: On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1, there are some command-injection vulnerabilities in the mainfunction.cgi file.

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITW
Exploited in the wild
EPSS
2.93%
85.4th percentile
On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1, there are some command-injection vulnerabilities in the mainfunction.cgi file.

Affected

6 ranges
VendorProductVersion rangeFixed in
draytekvigor2960_firmware< 1.5.11.5.1
draytekvigor2960_firmware< 1.5.1.11.5.1.1
draytekvigor300b_firmware< 1.5.11.5.1
draytekvigor300b_firmware< 1.5.1.11.5.1.1
draytekvigor3900_firmware< 1.5.11.5.1
draytekvigor3900_firmware< 1.5.1.11.5.1.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mainfunction.cgi
commandaction=authuser
snort
alert http any any -> any any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi formpassword Command Injection Attempt (CVE-2020-14472)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/cgi-bin/mainfunction.cgi"; fast_pattern; http.request_body; url_decode; content:"URL|3d|"; content:"HOST|3d|http"; content:"action=authuser"; content:"formusername|3d|"; content:"formpassword|3d|"; base64_decode:offset 0, relative; base64_data; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:cve,2020-14472; reference:url,github.com/Cossack9989/Vulns/blob/master/IoT/CVE-2020-14472.md; classtype:attempted-admin; sid:2058340; rev:1; metadata:created_at 2024_12_17, cve CVE_2020_14472, confidence High, signature_severity Unknown, tag Exploit, updated_at 2024_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit requests use HTTP POST method targeting /cgi-bin/mainfunction.cgi with a URI length of exactly 25 bytes.
  • Request body contains base64-encoded formpassword field; after base64 decoding, shell metacharacters (;, newline, backtick, pipe, $) are injected into the password parameter.
  • Request body also contains URL= and HOST=http parameters alongside formusername= and action=authuser, which are characteristic of this exploit's payload structure.
  • CVE-2020-14472 is an OS command injection in cgi-bin/mainfunction.cgi on DrayTek Vigor3900, Vigor2960, and Vigor300B devices before firmware 1.5.1; distinct from CVE-2020-15415 which targets cvmcfgupload.
  • ·The CISA KEV entry and NVD source both reference CVE-2020-15415 (cvmcfgupload / text/x-python-script vector) alongside CVE-2020-14472 (formpassword injection vector); the Snort rule targets the formpassword/authuser vector specifically attributed to CVE-2020-14472.
  • ·Affected devices must be running firmware versions before 1.5.1; patched devices are not vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.