cbcvebase.
CVE-2023-24229
published 2023-03-15

CVE-2023-24229: DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the…

PriorityP276high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
6.72%
93.1th percentile
DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected

1 ranges
VendorProductVersion rangeFixed in
draytekvigor2960_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/mainfunction.cgi
filenamemainfunction.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi commandTable parameter Command Injection Attempt (CVE-2023-24229)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/cgi-bin/mainfunction.cgi"; fast_pattern; http.request_body; content:"action|3d|commandTable"; content:"command|3d|"; content:"parameter|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:cve,2023-24229; reference:url,github.com/advisories/GHSA-pqv5-8qj7-9f3r; classtype:attempted-admin; sid:2058382; rev:1; metadata:affected_product DrayTek, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_12_17, cve CVE_2023_24229, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests use HTTP POST method to /cgi-bin/mainfunction.cgi with body parameters: action=commandTable, command=, and parameter= containing OS command injection characters (;, newline, backtick, pipe, $)
  • Injection payload in the 'parameter' POST body field contains shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24) — match with PCRE against the parameter value
  • Attack targets DrayTek Vigor2960 web management interface; traffic is expected in plaintext (not TLS), making perimeter and internal network inspection viable
  • Attacker must be authenticated with network access to the web management interface prior to exploitation
  • ·This vulnerability only affects DrayTek Vigor2960 v1.5.1.4, a product that is end-of-life and no longer supported by the maintainer; no patch will be issued
  • ·Exploitation requires prior authentication; unauthenticated access to the web management interface alone is insufficient to trigger the vulnerability

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.