cbcvebase.
CVE-2020-8515
published 2020-02-01

CVE-2020-8515: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.99%
100.0th percentile
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.

Affected

5 ranges
VendorProductVersion rangeFixed in
draytekvigor2960_firmware
draytekvigor300b_firmware
draytekvigor300b_firmware
draytekvigor300b_firmware
draytekvigor3900_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/mainfunction.cgi
commandaction=login&keyPath=%27%0A%2fbin%2fcat${IFS}%2fetc%2fpasswd%0A%27&loginUser=a&loginPwd=a
ip178.32.148.5
port1337
hash762ba1a2f7d62b8fc206ffb1bf39e89db651a1abb584402f9939d91a5b7899d3
hashae447f9cad4f4909c576c577a94aa3d38be7b9636c9b7fb04a181caca42ea92b
hash8777e47ab84fb681379b2253735aa1490d69e94201d57f06334c9ddfb1063637
hash695a0b2ef0d46027d2f106c060dade52b34e3bb7342a8eae906c7d2b15a99fc3
hash53aaee7d0de64b71ea0c61ec62b4fb509850f915b574b2560e98692057d32a1c
hashdf5ba0630a0fe701afccc129be7e9612cb4016dcc70273b748dad66dc152b6e9
hashe2dc3e0956a818fb22a77c50d9cfe91b7639c727db8a6838efd368ba277664b1
hashf4cf6a033aac287ff0b5171ce6f64836691b822f76705b04445f52f643da8c10
hash72492605815c59579170adef1519231a5e3f17ada26428d20bd7948041c812a3
hash9a62763da3dc8c1de87b50271a7b446e753016f72f5631e1c6eb17ff5425e7ab
hashb7b94fac1067217914d99f2d98b34c310a6c53eb36d3a430eea5df8217c4d1f8
path/tmp/
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_03;)
yara
regex: root:.*:0:0:
  • Hoaxcalls uses byte-wise XOR with 5 keys (0x1337C0D3, 0x0420A941, 0x4578BEAD, 0x0000A10E, 0x6531A466), effectively XOR-ing each byte with 0xEC — scan for this string obfuscation pattern in memory/binary.
  • Hoaxcalls decrypted marker string 'hubnr and vbrxmr was here' (at index 0x21) is printed to console on execution — useful as a memory/string artifact for detection.
  • Exploitation observed in the wild since December 2019; first firewall-caught incident on March 31, 2020 at 13:51 UTC — use this timeline for retrospective log hunting.
  • Palo Alto Networks threat prevention signatures 57897 and 57892 block the CVE-2020-8515 and CVE-2020-5722 attacks respectively.
  • Emerging Threats Snort/Suricata SID 2029807 (rev:2) detects inbound CVE-2020-8515 exploitation attempts against /cgi-bin/mainfunction.cgi.
  • ·Group 1 Hoaxcalls samples trigger CVE-2020-8515 exploitation only upon receipt of the 'DRAYTEK' C2 flooder command, whereas Group 2 and Group 3 samples begin scanning and infecting Draytek devices immediately upon execution — detection logic should account for both behaviors.
  • ·The malicious POST body structure differs slightly across Hoaxcalls groups; the exploit payload format in groups 2 and 3 differs from group 1 — ensure detection rules cover all variants.
  • ·GreyNoise observed no CVE-2020-8515 activity in the 24 hours prior to their report but 82 unique IPs exploiting it in the prior 30 days — treat absence of recent activity as temporary, not remediated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.