CVE-2020-14472
CRITICAL IN THE WILDDraytek Vigor3900, Vigor2960, and Vigor300B Firmware < 1.5.1.1 - OS Command Injection in mainfunction.cgi
Title source: llmExploitation Summary
CVE-2020-14472 has been observed exploited in the wild (reported by InTheWild.io).
Description
On Draytek Vigor3900, Vigor2960, and Vigor 300B devices before 1.5.1.1, there are some command-injection vulnerabilities in the mainfunction.cgi file.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/WinMin/46165779215f1d47ec257210428c0240
Exploit, Third Party Advisory x_refsource_misc
https://gist.github.com/Cossack9989/fa9718434ceee4e6d4f6b0ad672c10f1
Scores
CVSS v3
9.8
EPSS
0.0293
EPSS Percentile
85.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
InTheWild.io
2021-01-22
CWE
CWE-77
Status
published
Products (3)
draytek/vigor2960_firmware
< 1.5.1.1
draytek/vigor300b_firmware
< 1.5.1.1
draytek/vigor3900_firmware
< 1.5.1.1
Published
Jun 24, 2020
Tracked Since
Feb 18, 2026