CVE-2020-14993
CRITICAL EXPLOITEDDrayTek Vigor2960-300B - Buffer Overflow
Title source: llmExploitation Summary
CVE-2020-14993 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
A stack-based buffer overflow on DrayTek Vigor2960, Vigor3900, and Vigor300B devices before 1.5.1.1 allows remote attackers to execute arbitrary code via the formuserphonenumber parameter in an authusersms action to mainfunction.cgi.
References (3)
Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/dexterone/Vigor-poc
Vendor Advisory x_refsource_misc
https://www.draytek.com/about/security-advisory
Various Sources x_refsource_confirm
https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-stack-based-buffer-overflow-vulnerability-%28cve-2020-14473%29
Scores
CVSS v3
9.8
EPSS
0.0533
EPSS Percentile
91.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2025-08-22
CWE
CWE-787
Status
published
Products (3)
draytek/vigor2960_firmware
< 1.5.1.1
draytek/vigor300b_firmware
< 1.5.1.1
draytek/vigor3900_firmware
< 1.5.1.1
Published
Jun 23, 2020
Tracked Since
Feb 18, 2026