CVE-2021-20124
published 2021-10-13CVE-2021-20124: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated…
PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-09-24
Exploited in the wild
EPSS
69.25%
99.3th percentile
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigorconnect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../etc/passwd
url/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../windows/win.ini
yara
matchers: type: word, part: header, words: ["application/octet-stream"]; type: regex, regex: ["root:.*:0:0:", "for 16-bit app support"]
- →Exploit requests target the WebServlet endpoint with path traversal sequences in the 'filename' parameter using the 'act=getMapImg_acs2' action. Detect GET requests to /ACSServer/WebServlet containing '../' sequences in the filename parameter.
- →Successful exploitation returns HTTP 200 with Content-Type header 'application/octet-stream'. Monitor for this response pattern on the WebServlet endpoint.
- →Shodan/FOFA fingerprints for exposed VigorConnect instances: search for http.html:"VigorConnect" or http.html:"vigorconnect" (Shodan) and body="vigorconnect" (FOFA). Only a handful of assets (~44 on FOFA, 37 unique IPs) are internet-exposed.
- →GreyNoise observed 22 IPs exploiting CVE-2021-20124 in the past 30 days, with active exploitation confirmed in the past 24 hours. Top targeted countries: Lithuania, United States, Singapore. ↗
- →The vulnerability is unauthenticated — no session or credentials are required. Any GET request to /ACSServer/WebServlet with path traversal in the filename parameter from an unauthenticated source should be treated as a high-confidence exploitation attempt. ↗
- ·The vulnerability affects DrayTek VigorConnect 1.6.0-B3 specifically. Version 1.6.1 (released October 7, 2021) patches both CVE-2021-20123 and CVE-2021-20124. Detection rules should be scoped to unpatched instances. ↗
- ·Internet-facing VigorConnect attack surface is small (~44 results on FOFA, 37 unique IPs), but exploitation is still actively observed. Prioritize detection on any internet-exposed VigorConnect instance. ↗
- ·CISA added CVE-2021-20124 to the KEV catalog on September 3, 2024, with a remediation due date of September 24, 2024. Federal agencies and critical infrastructure operators should treat this as a priority. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Draytek VigorConnect Path Traversal Vulnerability
cisa·2024-09-03·CVSS 7.5
CVE-2021-20124 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Vulnerability: Draytek VigorConnect Path Traversal Vulnerability
Affected: DrayTek VigorConnect
Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20124
Remediation Due Date: 2024-09-24
GHSA
GHSA-hj9j-3xxg-6259: A local file inclusion vulnerability exists in Draytek VigorConnect 1
ghsa_unreviewed·2022-05-24
CVE-2021-20124 [HIGH] CWE-22 GHSA-hj9j-3xxg-6259: A local file inclusion vulnerability exists in Draytek VigorConnect 1
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
VulnCheck
Draytek VigorConnect Path Traversal Vulnerability
vulncheck·2021·CVSS 7.5
CVE-2021-20123 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Affected: DrayTek VigorConnect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://fortiguard.fortinet.com/encyclopedia/ips/55752; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-04&host_type=src&vulnerability=cve-2021-20123; https://www.tenable.com/blog/cve-2021-20123-
VulnCheck
Draytek VigorConnect Path Traversal Vulnerability
vulncheck·2021·CVSS 7.5
CVE-2021-20124 [HIGH] CWE-22 Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect Path Traversal Vulnerability
Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Affected: DrayTek VigorConnect
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-09-03&host_type=src&vulnerability=cve-2021-20124; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/cve-2021-20123-cve-2021-20124-draytek-vulnera
No detection rules found.
Nuclei
Draytek VigorConnect 6.0-B3 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2021-20124 [HIGH] Draytek VigorConnect 6.0-B3 - Local File Inclusion
Draytek VigorConnect 6.0-B3 - Local File Inclusion
Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
Template:
id: CVE-2021-20124
info:
name: Draytek VigorConnect 6.0-B3 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Draytek VigorConnect 1.6.0-B3 is susceptible to local file inclusion in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
impact: |
Successful exploitation of this vuln
Greynoiseio
Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
blogs_greynoiseio·2025-03-25·CVSS 9.8
[CRITICAL] Amid Reports of Worldwide Reboots, GreyNoise Observes In-the-Wild Activity Against DrayTek Routers
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Tenable
CVE-2021-20123, CVE-2021-20124: DrayTek Vulnerabilities Discovered by Tenable Research Added to CISA KEV
blogs_tenable·2024-09-09·CVSS 7.5
[HIGH] CVE-2021-20123, CVE-2021-20124: DrayTek Vulnerabilities Discovered by Tenable Research Added to CISA KEV
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Multiple Vulnerabilities in Draytek VigorConnect 1.60.0-B3
blogs_tenable·2021-10-12
Multiple Vulnerabilities in Draytek VigorConnect 1.60.0-B3
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
NoiseLetter September 2024
blogs_greynoiseio
NoiseLetter September 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2021-10-13
Published
2024-09-03
Added to CISA KEV
Exploited in the wild