CVE-2023-1162
published 2023-03-03CVE-2023-1162: ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is an unknown…
PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
26.05%
97.7th percentile
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is an unknown function of the file mainfunction.cgi of the component Web Management Interface. The manipulation of the argument password leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222258 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| draytek | vigor_2960 | — | — |
| draytek | vigor_2960 | — | — |
| draytek | vigor_2960_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/mainfunction.cgi/trustcaupload
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:39; content:"/cgi-bin/mainfunction.cgi/trustcaupload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|password|22|"; pcre:"/^.+(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:cve,2023-1162; reference:url,github.com/xxy1126/Vuln/blob/main/Draytek/2.md; classtype:attempted-admin; sid:2058380; rev:1; metadata:affected_product DrayTek, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_17, cve CVE_2023_1162, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Target HTTP POST requests to the exact URI path /cgi-bin/mainfunction.cgi/trustcaupload (bsize:39 enforces exact URI length match), indicating exploitation of the trustcaupload endpoint.
- →Inspect the HTTP request body for a multipart form-data field named 'password' (Content-Disposition header with name="password"), which is the injection vector.
- →After the password field value, detect command injection metacharacters in URL-encoded or raw form: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), dollar sign ($/%24), or double-ampersand (&&/%26%26).
- →The attack is plaintext (non-TLS) and should be monitored at the network perimeter and internally; the exploit is publicly disclosed and actively usable.
- →Map detections to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access).
- ·The affected product (DrayTek Vigor 2960 firmware 1.5.1.4/1.5.1.5) is end-of-life and no longer supported by the vendor; no patch will be issued. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.08.3HIGHAV:N/AC:L/Au:M/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162)
suricata·2024-12-17·CVSS 7.2
CVE-2023-1162 [HIGH] ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162)
ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi trustcaupload Command Injection Attempt (CVE-2023-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:39; content:"/cgi-bin/mainfunction.cgi/trustcaupload"; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|password|22|"; pcre:"/^.+(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24)|(?:\x26{2}|%26%26))+/R"; reference:cve,2023-1162; reference:url,github.com/xxy1126/Vuln/blob/main/Draytek/2.md; classtype:attempted-admin; sid:2058380; rev:1; metadata:affected_product DrayTek, attack_target Networking_E
No public exploits indexed.
No writeups or analysis indexed.
2023-03-03
Published