CVE-2020-8515
published 2020-02-01CVE-2020-8515: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.99%
100.0th percentile
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor2960_firmware | — | — |
| draytek | vigor300b_firmware | — | — |
| draytek | vigor300b_firmware | — | — |
| draytek | vigor300b_firmware | — | — |
| draytek | vigor3900_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_03;)
yara
regex: root:.*:0:0:
- →Hoaxcalls uses byte-wise XOR with 5 keys (0x1337C0D3, 0x0420A941, 0x4578BEAD, 0x0000A10E, 0x6531A466), effectively XOR-ing each byte with 0xEC — scan for this string obfuscation pattern in memory/binary. ↗
- →Hoaxcalls decrypted marker string 'hubnr and vbrxmr was here' (at index 0x21) is printed to console on execution — useful as a memory/string artifact for detection. ↗
- →Exploitation observed in the wild since December 2019; first firewall-caught incident on March 31, 2020 at 13:51 UTC — use this timeline for retrospective log hunting. ↗
- →Palo Alto Networks threat prevention signatures 57897 and 57892 block the CVE-2020-8515 and CVE-2020-5722 attacks respectively. ↗
- →Emerging Threats Snort/Suricata SID 2029807 (rev:2) detects inbound CVE-2020-8515 exploitation attempts against /cgi-bin/mainfunction.cgi.
- ·Group 1 Hoaxcalls samples trigger CVE-2020-8515 exploitation only upon receipt of the 'DRAYTEK' C2 flooder command, whereas Group 2 and Group 3 samples begin scanning and infecting Draytek devices immediately upon execution — detection logic should account for both behaviors. ↗
- ·The malicious POST body structure differs slightly across Hoaxcalls groups; the exploit payload format in groups 2 and 3 differs from group 1 — ensure detection rules cover all variants. ↗
- ·GreyNoise observed no CVE-2020-8515 activity in the 24 hours prior to their report but 82 unique IPs exploiting it in the prior 30 days — treat absence of recent activity as temporary, not remediated. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Multiple DrayTek Vigor Routers Web Management Page Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] CWE-78 Multiple DrayTek Vigor Routers Web Management Page Vulnerability
Vulnerability: Multiple DrayTek Vigor Routers Web Management Page Vulnerability
Affected: DrayTek Multiple Vigor Routers
DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-8515
Remediation Due Date: 2022-05-03
GHSA
GHSA-4866-p686-25f3: DrayTek Vigor2960 1
ghsa_unreviewed·2022-05-24
CVE-2020-8515 [HIGH] CWE-74 GHSA-4866-p686-25f3: DrayTek Vigor2960 1
DrayTek Vigor2960 1.3.1_Beta; Vigor3900 1.4.4_Beta; and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
VulnCheck
Multiple DrayTek Vigor Routers Web Management Page Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-8515 [CRITICAL] CWE-78 Multiple DrayTek Vigor Routers Web Management Page Vulnerability
Multiple DrayTek Vigor Routers Web Management Page Vulnerability
DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution.
Affected: DrayTek Vigor Routers
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/; https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/; https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://blog.radware.com/security/botnets/2020/05/ghosting-bots-the-story-of-hoaxcalls-failures/; https://blog.netlab.360.com/ddos-botnet-moobot-en/; https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-pay
Suricata
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2
suricata·2020-04-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KE
Suricata
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1
suricata·2020-04-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; startswith; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029804; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_G
Suricata
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1
suricata·2020-04-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1
Rule: alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; startswith; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029805; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated
Suricata
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2
suricata·2020-04-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2
ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029806; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag
Exploit-DB
Multiple DrayTek Products - Pre-authentication Remote Root Code Execution
exploitdb·2020-03-30·CVSS 9.8
CVE-2020-8515 [CRITICAL] Multiple DrayTek Products - Pre-authentication Remote Root Code Execution
Multiple DrayTek Products - Pre-authentication Remote Root Code Execution
---
package main
/*
CVE-2020-8515: DrayTek pre-auth remote root RCE
Mon Mar 30 2020 - 0xsha.io
Affected:
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta,
and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta,
and 1.4.4_Beta
You should upgrade as soon as possible to 1.5.1 firmware or later
This issue has been fixed in Vigor3900/2960/300B v1.5.1.
read more :
https://www.skullarmy.net/2020/01/draytek-unauthenticated-rce-in-draytek.html
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-(cve-2020-8515)/
https://thehackernews.com/2020/03/draytek-network-hacking.html
https://blog.netlab.360.com/two-zero-days-are-targeting-draytek-broadband-cpe-devices-en/
expl
Nuclei
DrayTek - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-8515 [CRITICAL] DrayTek - Remote Code Execution
DrayTek - Remote Code Execution
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
Template:
id: CVE-2020-8515
info:
name: DrayTek - Remote Code Execution
author: pikpikcu
severity: critical
description: DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected router, leading to complete compromise of the
Fortinet
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
blogs_fortinet·2025-08-22
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign
Unpacking the Mirai-based Gayfemboy botnet campaign, its evolution, global targets, and Fortinet security protections
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | August 22, 2025
Affected Platforms: DrayTek Vigor2960 1.3.1_Beta, DrayTek Vigor3900 1.4.4_Beta, DrayTek Vigor300B 1.3.3_Beta, DrayTek Vigor300B 1.4.2.1_Beta, DrayTek Vigor300B 1.4.4_Beta, TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219, Raisecom MSG1200, Raisecom MSG2100E, Raisecom MSG2200, Raisecom MSG2300 3.90, Cisco ISE, Cisco ISE-PIC
Impacted Users: Any organization
Impact: Remote attackers gain control
Greynoiseio
Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
blogs_greynoiseio·2025-03-25·CVSS 9.8
[CRITICAL] Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
20th February – Threat Intelligence Report
blogs_checkpoint·2023-02-20
CVE-2023-21823 20th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 20th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th February, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Check Point Research identified a campaign against entities in Armenia, using a new version of OxtaRAT – an AutoIt-based backdoor for remote access and desktop surveillance. The threat actors have been targeting human rights organizations, dissidents, and independent media in Azerbaijan for several years, amid rising tens
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
- CVE-2012-4869: FreePBX Elastix Remote Command Execution Vulnerability
- Gitorious Remote Command Execution Vulnerability
- CVE-2014-9727: FRITZ!Box Webcam Remote Command Execution Vulnerability
- Mitel AWC Remote Command Execution Vulnerability
- CVE-2017-5173: Geut
Unit42
Mirai Variant V3G4 Targets IoT Devices
blogs_unit42·2023-02-15·CVSS 7.5
[HIGH] Mirai Variant V3G4 Targets IoT Devices
Threat Research Center
Threat Research
Vulnerabilities
## Mirai Variant V3G4 Targets IoT Devices
Chao Lei
Zhibin Zhang
Cecilia Hu
Aveek Das
Published: February 15, 2023
Threat Research
Vulnerabilities
Botnet
IoT Vulnerability
Mirai variant
V3G4
## Content Warning
We are providing a content warning because the following contains usage of a racial slur by a threat actor, which is not condoned in any instance by Unit 42. Unit 42 has partially redacted the racial slur to provide researchers with the ability to identify it and check IoCs as needed.
## Executive Summary
From July to December 2022, Unit 42 researchers observed a Mirai variant called V3G4, which was leveraging several vulnerabilities to spread itself. The vulnerabilities exploited include the following:
CV
Checkpoint
15th November – Threat Intelligence Report
blogs_checkpoint·2021-11-15
CVE-2021-42237 15th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 15th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 15th November, please download our Threat Intelligence Bulletin .
Top Attacks and Breaches
Check Point Research notes a 178% increase in the number of malicious shopping websites, compared to the rest of the year, spotting over 5300 different malicious websites per week ahead of the end of this year’s e-shopping season.
Check Point Research has analyzed the operations of threat actor MosesStaff following its
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyberbedrohungen
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabili
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay 2021/04/28 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilities
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Minacce cyber
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Ciberamenazas
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
# How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay
2021/04/28
Read time: ( words)
Save to Folio
Photo credit: pxhere
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands o
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Tenable
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
blogs_tenable·2020-10-23
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
blogs_qualys·2020-10-22·CVSS 9.8
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
#### Table of Contents
- Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020: The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post: On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and
mitigation efforts,” said the NSA advisory. It also recommended “crit
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
blogs_qualys·2020-10-22·CVSS 10.0
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
## Table of Contents
Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020 : The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post : On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts,” said the NSA advisory. It also recommended “critic
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
Threat Research Center
Threat Research
Vulnerabilities
## Two New IoT Vulnerabilities Identified with Mirai Payloads
Ken Hsu
Yue Guan
Vaibhav Singhal
Qi Deng
Published: October 14, 2020
Threat Research
Vulnerabilities
IoT
Mirai
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While t
Unit42
Two New IoT Vulnerabilities Identified with Mirai Payloads
blogs_unit42·2020-10-14
Two New IoT Vulnerabilities Identified with Mirai Payloads
## Executive Summary
Palo Alto Networks is proactively trying to safeguard its customers from attacks however possible. By leveraging its Next-Generation Firewall as sensors on the perimeter to detect malicious payloads and attack patterns, Unit 42 researchers are able to hunt down the menaces out there on the network, be they known or not.
Unit 42 researchers have taken a closer look at four Mirai variants from two recently discovered campaigns leveraging command injection vulnerability exploits that reveal a familiar IoT attack pattern.
While this generic approach allows researchers to observe the entire killchain and even acquire the malware binary from the attack, this post-exploitation heuristic does have its caveat: the traffic fingerprinting. Similar services yield similar traffi
Unit42
Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
blogs_unit42·2020-04-03·CVSS 9.8
CVE-2020-5722 [CRITICAL] Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Threat Research Center
Threat Research
Vulnerabilities
## Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
Ken Hsu
Haozhe Zhang
Zhibin Zhang
Ruchna Nigam
Published: April 3, 2020
Threat Research
Vulnerabilities
CVE-2020-5722
CVE-2020-8515
DDoS
Gafgyt
## Executive Summary
As soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this vulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can also propagate by exploiting CVE-2020-5722 . As of now, the attack traffic detected has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We notified regional CERTs of potentially infected devi
Unit42
Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
blogs_unit42·2020-04-03·CVSS 9.8
CVE-2020-8515 [CRITICAL] Grandstream and DrayTek Devices Exploited to Power New Hoaxcalls DDoS Botnet
## Executive Summary
As soon as the proof-of-concept (PoC) for CVE-2020-8515 was made publicly available in March, this vulnerability was employed by a new DDoS botnet for propagation. Further analysis shows that this malware can also propagate by exploiting CVE-2020-5722. As of now, the attack traffic detected has doubled since 03/31/2020, implying that many Grandstream UCM6200 and Draytek Vigor devices are infected or under active attack. We notified regional CERTs of potentially infected devices identified during our research prior to publication in an effort to help with awareness and remediation. The Grandstream devices are business telephone systems providers over IP, whereas the latter are routers.
Both CVE-2020-8515 and CVE-2020-5722 have a critical rating (i.e CVSS v3.1 score of
http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.htmlhttps://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.htmlhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.htmlhttps://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.htmlhttps://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8515
2020-02-01
Published
2021-11-03
Added to CISA KEV
Exploited in the wild