CVE-2021-20123
published 2021-10-13CVE-2021-20123: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An…
PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-09-24
Exploited in the wild
EPSS
74.28%
99.4th percentile
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigorconnect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ACSServer/DownloadFileServlet?show_file_name=../../../../../../etc/passwd&type=uploadfile&path=anything
url/ACSServer/DownloadFileServlet?show_file_name=../../../../../../windows/win.ini&type=uploadfile&path=anything
yara
regex: root:.*:0:0:
yara
regex: for 16-bit app support
- →Exploit requests target GET /ACSServer/DownloadFileServlet with path traversal sequences in the 'show_file_name' parameter (e.g., ../../../../../../etc/passwd) and fixed parameters type=uploadfile&path=anything. No authentication is required. ↗
- →Successful exploitation returns HTTP 200 with Content-Type: application/octet-stream header and body matching 'root:.*:0:0:' (Linux) or 'for 16-bit app support' (Windows win.ini).
- →Shodan and FOFA queries can identify exposed VigorConnect instances as potential targets: search for http.html:"VigorConnect" or body="vigorconnect".
- →GreyNoise observed 23 distinct IPs actively exploiting CVE-2021-20123 in the past 30 days, with top targeted countries being Lithuania, United States, and Singapore. ↗
- →The vulnerability is in the DownloadFileServlet endpoint (CVE-2021-20123); a companion vulnerability CVE-2021-20124 targets the WebServlet endpoint — both are actively exploited and on CISA KEV. ↗
- ·Vulnerable version is DrayTek VigorConnect 1.6.0-B3; the vendor patched this in VigorConnect 1.6.1 released October 7, 2021. Instances still running 1.6.0-B3 are exploitable. ↗
- ·Despite a large overall DrayTek footprint (700,000+ Shodan results), internet-facing VigorConnect instances are very limited — FOFA returns only ~44 results (37 unique IPs) — making automated targeted attacks feasible at low scale. ↗
- ·EPSS score of 0.93989 (99.892nd percentile) indicates extremely high likelihood of exploitation; vulnerability is on CISA KEV with remediation due date of 2024-09-24.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Draytek VigorConnect Path Traversal Vulnerability
cisa·2024-09-03·CVSS 7.5
CVE-2021-20123 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Vulnerability: Draytek VigorConnect Path Traversal Vulnerability
Affected: DrayTek VigorConnect
Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20123
Remediation Due Date: 2024-09-24
CISA
Draytek VigorConnect Path Traversal Vulnerability
cisa·2024-09-03·CVSS 7.5
CVE-2021-20124 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Vulnerability: Draytek VigorConnect Path Traversal Vulnerability
Affected: DrayTek VigorConnect
Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20124
Remediation Due Date: 2024-09-24
GHSA
GHSA-gc9m-33cp-rmpj: A local file inclusion vulnerability exists in Draytek VigorConnect 1
ghsa_unreviewed·2022-05-24
CVE-2021-20123 [HIGH] CWE-22 GHSA-gc9m-33cp-rmpj: A local file inclusion vulnerability exists in Draytek VigorConnect 1
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
VulnCheck
Draytek VigorConnect Path Traversal Vulnerability
vulncheck·2021·CVSS 7.5
CVE-2021-20123 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Affected: DrayTek VigorConnect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://fortiguard.fortinet.com/encyclopedia/ips/55752; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-04&host_type=src&vulnerability=cve-2021-20123; https://www.tenable.com/blog/cve-2021-20123-
VulnCheck
Draytek VigorConnect Path Traversal Vulnerability
vulncheck·2021·CVSS 7.5
CVE-2021-20124 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Affected: DrayTek VigorConnect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-03&host_type=src&vulnerability=cve-2021-20124; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/cve-2021-20123-cve-2021-20124-draytek-vulnera
No detection rules found.
Nuclei
Draytek VigorConnect 1.6.0-B - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-20123 [HIGH] Draytek VigorConnect 1.6.0-B - Local File Inclusion
Draytek VigorConnect 1.6.0-B - Local File Inclusion
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Template:
id: CVE-2021-20123
info:
name: Draytek VigorConnect 1.6.0-B - Local File Inclusion
author: 0x_Akoko
severity: high
description: |
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
impact: |
Successful exp
Greynoiseio
Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
blogs_greynoiseio·2025-03-25·CVSS 9.8
[CRITICAL] Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
CVE-2021-20123, CVE-2021-20124: DrayTek Vulnerabilities Discovered by Tenable Research Added to CISA KEV
blogs_tenable·2024-09-09·CVSS 7.5
[HIGH] CVE-2021-20123, CVE-2021-20124: DrayTek Vulnerabilities Discovered by Tenable Research Added to CISA KEV
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Multiple Vulnerabilities in Draytek VigorConnect 1.60.0-B3
blogs_tenable·2021-10-12
Multiple Vulnerabilities in Draytek VigorConnect 1.60.0-B3
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
2021-10-13
Published
2024-09-03
Added to CISA KEV
Exploited in the wild