cbcvebase.
CVE-2020-15415
published 2020-06-30

CVE-2020-15415: On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-21
Exploited in the wild
EPSS
84.60%
99.7th percentile
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.

Affected

3 ranges
VendorProductVersion rangeFixed in
draytekvigor2960_firmware< 1.5.11.5.1
draytekvigor300b_firmware< 1.5.11.5.1
draytekvigor3900_firmware< 1.5.11.5.1

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mainfunction.cgi/cvmcfgupload
urlPOST /cgi-bin/mainfunction.cgi/cvmcfgupload?1=2
otherfilename="t';id;echo '1_"
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi/cvmcfgupload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|"; content:"filename|3d 22|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2020-15415; reference:url,github.com/CLP-team/Vigor-Commond-Injection; classtype:attempted-admin; sid:2058347; rev:1; metadata:affected_product DrayTek, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_17, cve CVE_2020_15415, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requires a multipart/form-data POST to /cgi-bin/mainfunction.cgi/cvmcfgupload with Content-Type: text/x-python-script and shell metacharacters (;, newline, backtick, |, $) injected into the filename field.
  • Snort/Suricata PCRE targets shell metacharacters in the filename parameter: semicolons, newlines, backticks, pipes, and dollar signs (both raw and URL-encoded) immediately after the filename= field.
  • Successful exploitation response contains output of injected command (e.g., id) matching uid/gid pattern, and the HTTP response header contains 'DWS' (DrayTek web server identifier).
  • The vulnerability is unauthenticated (no credentials required); no prior access needed to exploit the endpoint.
  • FOFA fingerprint for identifying exposed DrayTek Vigor management interfaces: server header 'DWS', presence of excanvas.js, detectLang, and lang=="zh-cn".
  • ·Vulnerability affects only DrayTek Vigor3900, Vigor2960, and Vigor300B devices running firmware versions before 1.5.1.
  • ·This is a distinct issue from CVE-2020-14472, which affects the same endpoint/devices; detections should not conflate the two CVEs.
  • ·The Snort rule (sid:2058347) is scoped to plaintext (non-TLS) traffic only; encrypted management sessions will not be detected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.