cbcvebase.
CVE-2021-20123
published 2021-10-13

CVE-2021-20123: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An…

PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-09-24
Exploited in the wild
EPSS
74.28%
99.4th percentile
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
draytekvigorconnect

Detection & IOCsextracted from sources · hover to see the quote

url/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything
url/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything
path/ACSServer/DownloadFileServlet
yara
regex: root:.*:0:0:
yara
regex: for 16-bit app support
  • Exploit requests target GET /ACSServer/DownloadFileServlet with path traversal sequences in the 'show_file_name' parameter (e.g., ../../../../../../etc/passwd) and fixed parameters type=uploadfile&path=anything. No authentication is required.
  • Successful exploitation returns HTTP 200 with Content-Type: application/octet-stream header and body matching 'root:.*:0:0:' (Linux) or 'for 16-bit app support' (Windows win.ini).
  • Shodan and FOFA queries can identify exposed VigorConnect instances as potential targets: search for http.html:"VigorConnect" or body="vigorconnect".
  • GreyNoise observed 23 distinct IPs actively exploiting CVE-2021-20123 in the past 30 days, with top targeted countries being Lithuania, United States, and Singapore.
  • The vulnerability is in the DownloadFileServlet endpoint (CVE-2021-20123); a companion vulnerability CVE-2021-20124 targets the WebServlet endpoint — both are actively exploited and on CISA KEV.
  • ·Vulnerable version is DrayTek VigorConnect 1.6.0-B3; the vendor patched this in VigorConnect 1.6.1 released October 7, 2021. Instances still running 1.6.0-B3 are exploitable.
  • ·Despite a large overall DrayTek footprint (700,000+ Shodan results), internet-facing VigorConnect instances are very limited — FOFA returns only ~44 results (37 unique IPs) — making automated targeted attacks feasible at low scale.
  • ·EPSS score of 0.93989 (99.892nd percentile) indicates extremely high likelihood of exploitation; vulnerability is on CISA KEV with remediation due date of 2024-09-24.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.