cbcvebase.
CVE-2021-20124
published 2021-10-13

CVE-2021-20124: A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated…

PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-09-24
Exploited in the wild
EPSS
69.25%
99.3th percentile
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
draytekvigorconnect

Detection & IOCsextracted from sources · hover to see the quote

url/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../etc/passwd
url/ACSServer/WebServlet?act=getMapImg_acs2&filename=../../../../../../../windows/win.ini
path/ACSServer/WebServlet
yara
matchers: type: word, part: header, words: ["application/octet-stream"]; type: regex, regex: ["root:.*:0:0:", "for 16-bit app support"]
  • Exploit requests target the WebServlet endpoint with path traversal sequences in the 'filename' parameter using the 'act=getMapImg_acs2' action. Detect GET requests to /ACSServer/WebServlet containing '../' sequences in the filename parameter.
  • Successful exploitation returns HTTP 200 with Content-Type header 'application/octet-stream'. Monitor for this response pattern on the WebServlet endpoint.
  • Shodan/FOFA fingerprints for exposed VigorConnect instances: search for http.html:"VigorConnect" or http.html:"vigorconnect" (Shodan) and body="vigorconnect" (FOFA). Only a handful of assets (~44 on FOFA, 37 unique IPs) are internet-exposed.
  • GreyNoise observed 22 IPs exploiting CVE-2021-20124 in the past 30 days, with active exploitation confirmed in the past 24 hours. Top targeted countries: Lithuania, United States, Singapore.
  • The vulnerability is unauthenticated — no session or credentials are required. Any GET request to /ACSServer/WebServlet with path traversal in the filename parameter from an unauthenticated source should be treated as a high-confidence exploitation attempt.
  • ·The vulnerability affects DrayTek VigorConnect 1.6.0-B3 specifically. Version 1.6.1 (released October 7, 2021) patches both CVE-2021-20123 and CVE-2021-20124. Detection rules should be scoped to unpatched instances.
  • ·Internet-facing VigorConnect attack surface is small (~44 results on FOFA, 37 unique IPs), but exploitation is still actively observed. Prioritize detection on any internet-exposed VigorConnect instance.
  • ·CISA added CVE-2021-20124 to the KEV catalog on September 3, 2024, with a remediation due date of September 24, 2024. Federal agencies and critical infrastructure operators should treat this as a priority.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:C/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.