CVE-2020-15415
published 2020-06-30CVE-2020-15415: On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-10-21
Exploited in the wild
EPSS
84.60%
99.7th percentile
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor2960_firmware | < 1.5.1 | 1.5.1 |
| draytek | vigor300b_firmware | < 1.5.1 | 1.5.1 |
| draytek | vigor3900_firmware | < 1.5.1 | 1.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi/cvmcfgupload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|"; content:"filename|3d 22|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2020-15415; reference:url,github.com/CLP-team/Vigor-Commond-Injection; classtype:attempted-admin; sid:2058347; rev:1; metadata:affected_product DrayTek, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_17, cve CVE_2020_15415, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requires a multipart/form-data POST to /cgi-bin/mainfunction.cgi/cvmcfgupload with Content-Type: text/x-python-script and shell metacharacters (;, newline, backtick, |, $) injected into the filename field. ↗
- →Snort/Suricata PCRE targets shell metacharacters in the filename parameter: semicolons, newlines, backticks, pipes, and dollar signs (both raw and URL-encoded) immediately after the filename= field.
- →Successful exploitation response contains output of injected command (e.g., id) matching uid/gid pattern, and the HTTP response header contains 'DWS' (DrayTek web server identifier).
- →The vulnerability is unauthenticated (no credentials required); no prior access needed to exploit the endpoint.
- →FOFA fingerprint for identifying exposed DrayTek Vigor management interfaces: server header 'DWS', presence of excanvas.js, detectLang, and lang=="zh-cn".
- ·Vulnerability affects only DrayTek Vigor3900, Vigor2960, and Vigor300B devices running firmware versions before 1.5.1. ↗
- ·This is a distinct issue from CVE-2020-14472, which affects the same endpoint/devices; detections should not conflate the two CVEs. ↗
- ·The Snort rule (sid:2058347) is scoped to plaintext (non-TLS) traffic only; encrypted management sessions will not be detected.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-65hg-r7rx-55rg: On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1
ghsa_unreviewed·2022-05-24·CVSS 9.8
CVE-2020-15415 [CRITICAL] CWE-78 GHSA-65hg-r7rx-55rg: On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.
VulnCheck
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-15415 [CRITICAL] CWE-78 DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.
Affected: DrayTek Vigor Routers
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-v3g4/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-01&host_type=src&vulnerability=cve-2020-15415; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-03-13&h
CISA
DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
cisa·2024-09-30·CVSS 9.8
CVE-2020-15415 [CRITICAL] CWE-78 DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Vulnerability: DrayTek Multiple Vigor Routers OS Command Injection Vulnerability
Affected: DrayTek Multiple Vigor Routers
DrayTek Vigor3900, Vigor2960, and Vigor300B devices contain an OS command injection vulnerability in cgi-bin/mainfunction.cgi/cvmcfgupload that allows for remote code execution via shell metacharacters in a filename when the text/x-python-script content type is used.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472) ; https://nvd.nist.gov/vuln/detail/CVE-2020-15415
Remediation Due Date: 2024-10-21
Suricata
ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415)
suricata·2024-12-17·CVSS 9.8
CVE-2020-15415 [CRITICAL] ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415)
ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi cvmcfgupload Command Injection Attempt (CVE-2020-15415)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi/cvmcfgupload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|"; content:"filename|3d 22|"; distance:0; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2020-15415; reference:url,github.com/CLP-team/Vigor-Commond-Injection; classtype:attempted-admin; sid:2058347; rev:1; metadata:affected_product DrayTek, attack_target Networking
Nuclei
DrayTek Vigor - Command Injection
nuclei·CVSS 9.8
CVE-2020-15415 [CRITICAL] DrayTek Vigor - Command Injection
DrayTek Vigor - Command Injection
DrayTek Vigor devices contain a command injection vulnerability in the cvmcfgupload functionality. The vulnerability allows remote attackers to execute arbitrary commands through specially crafted requests to the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint.
Template:
id: CVE-2020-15415
info:
name: DrayTek Vigor - Command Injection
author: ritikchaddha
severity: critical
description: |
DrayTek Vigor devices contain a command injection vulnerability in the cvmcfgupload functionality. The vulnerability allows remote attackers to execute arbitrary commands through specially crafted requests to the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint.
impact: |
Unauthenticated attackers can execute arbitrary system commands on DrayTek Vigor devices via the c
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2020-06-30
Published
2024-09-30
Added to CISA KEV
Exploited in the wild