CVE-2020-14993
published 2020-06-23CVE-2020-14993: A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the…
PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
5.33%
91.6th percentile
A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the formuserphonenumber parameter in an authusersms action to mainfunction.cgi.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor2960_firmware | < 1.5.1.1 | 1.5.1.1 |
| draytek | vigor300b_firmware | < 1.5.1.1 | 1.5.1.1 |
| draytek | vigor3900_firmware | < 1.5.1.1 | 1.5.1.1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-56hp-cj87-42wh: A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1
ghsa_unreviewed·2022-05-24
CVE-2020-14993 [HIGH] GHSA-56hp-cj87-42wh: A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1
A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the formuserphonenumber parameter in an authusersms action to mainfunction.cgi.
VulnCheck
DrayTek vigor300b_firmware Out-of-bounds Write
vulncheck·2020·CVSS 9.8
CVE-2020-14993 [CRITICAL] DrayTek vigor300b_firmware Out-of-bounds Write
DrayTek vigor300b_firmware Out-of-bounds Write
A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the formuserphonenumber parameter in an authusersms action to mainfunction.cgi.
Affected: DrayTek vigor300b_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/iot-malware-gayfemboy-mirai-based-botnet-campaign
No detection rules found.
No public exploits indexed.
Fortinet
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
blogs_fortinet·2025-08-22
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign
Unpacking the Mirai-based Gayfemboy botnet campaign, its evolution, global targets, and Fortinet security protections
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | August 22, 2025
Affected Platforms: DrayTek Vigor2960 1.3.1_Beta, DrayTek Vigor3900 1.4.4_Beta, DrayTek Vigor300B 1.3.3_Beta, DrayTek Vigor300B 1.4.2.1_Beta, DrayTek Vigor300B 1.4.4_Beta, TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219, Raisecom MSG1200, Raisecom MSG2100E, Raisecom MSG2200, Raisecom MSG2300 3.90, Cisco ISE, Cisco ISE-PIC
Impacted Users: Any organization
Impact: Remote attackers gain control
Bugzilla
CVE-2019-15225 envoy: crafted request with long URI allows remote attacker to cause denial of service
bugzilla·2019-10-25·CVSS 7.5
CVE-2019-15225 [HIGH] CVE-2019-15225 envoy: crafted request with long URI allows remote attacker to cause denial of service
CVE-2019-15225 envoy: crafted request with long URI allows remote attacker to cause denial of service
A vulnerability was found in Envoy through 1.11.1, where users may configure a route to match incoming path headers via the libstdc++ regular expression implementation. A remote attacker may send a request with a very long URI to result in a denial of service (memory consumption). This is a related issue to CVE-2019-14993.
This description came from: https://nvd.nist.gov/vuln/detail/CVE-2019-15225
Discussion:
See related flaw https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14993
---
Used FixCVE names as this was released in an RHEA: https://access.redhat.com/errata/RHEA-2020:1416
Bugzilla
CVE-2019-14993 istio/envoy: mishandling regular expressions for long URIs leading to DoS
bugzilla·2019-10-09·CVSS 7.5
CVE-2019-14993 [HIGH] CVE-2019-14993 istio/envoy: mishandling regular expressions for long URIs leading to DoS
CVE-2019-14993 istio/envoy: mishandling regular expressions for long URIs leading to DoS
Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressions for long URIs, leading to a denial of service during use of the JWT, VirtualService, HTTPAPISpecBinding, or QuotaSpecBinding API.
Upstream Issue:
https://github.com/envoyproxy/envoy/issues/7728
References:
https://istio.io/news/2019/istio-security-003-004/
Discussion:
External References:
https://istio.io/news/2019/istio-security-003-004/
---
Used FixCVE names as this was released in an RHEA: https://access.redhat.com/errata/RHEA-2020:1416
https://github.com/dexterone/Vigor-pochttps://www.draytek.com/about/security-advisoryhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-stack-based-buffer-overflow-vulnerability-%28cve-2020-14473%29https://github.com/dexterone/Vigor-pochttps://www.draytek.com/about/security-advisoryhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-stack-based-buffer-overflow-vulnerability-%28cve-2020-14473%29
2020-06-23
Published
Exploited in the wild