CVE-2020-8515

CRITICAL KEV NUCLEI

DrayTek Vigor2960/Vigor3900/Vigor300B Beta - Unauthenticated Remote Code Execution via mainfunction.cgi

Title source: manual

Exploitation Summary

CVE-2020-8515 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 4 public exploits from researchers including 0xsha, imjdl, darrenmartyn. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an unauthenticated command injection vulnerability in DrayTek routers via the 'keyPath' parameter in the '/cgi-bin/mainfunction.cgi' endpoint. It constructs a malicious payload to execute arbitrary commands by bypassing input sanitization using ${IFS} for space substitution.

Description

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.

Exploits (4)

exploitdb WORKING POC

by 0xsha · goremotelinux

https://www.exploit-db.com/exploits/48268

View Code ZIP pw:eip

This exploit leverages an unauthenticated command injection vulnerability in DrayTek routers via the 'keyPath' parameter in the '/cgi-bin/mainfunction.cgi' endpoint. It constructs a malicious payload to execute arbitrary commands by bypassing input sanitization using ${IFS} for space substitution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: DrayTek Vigor2960, Vigor3900, Vigor300B (versions 1.3.1_Beta, 1.4.4_Beta, 1.3.3_Beta, 1.4.2.1_Beta, 1.4.4_Beta)

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable firmware version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 14 stars

by imjdl · remote

https://github.com/imjdl/CVE-2020-8515-PoC

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2020-8515, a command execution vulnerability in DrayTek Vigor routers. The exploit leverages a command injection flaw in the 'mainfunction.cgi' endpoint by manipulating the 'keyPath' parameter.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: DrayTek Vigor routers (Vigor3900, Vigor2960, Vigor300B)

No auth needed

Prerequisites: Network access to the vulnerable router's web interface

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 3 stars

by darrenmartyn · remote

https://github.com/darrenmartyn/CVE-2020-8515

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2020-8515, a command injection vulnerability in Draytek Vigor routers. The exploit demonstrates remote code execution (RCE) by injecting commands into the 'keyPath' parameter of the login endpoint, with the injected command executed twice due to the vulnerability's behavior.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Draytek Vigor routers (e.g., Vigor 2960, Vigor 3900, Vigor 300B)

No auth needed

Prerequisites: Network access to the target device · Target device must be running a vulnerable Draytek firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec SCANNER 2 stars

by truerandom · remote

https://github.com/truerandom/nmap_draytek_rce

View Code ZIP pw:eip

This repository contains an Nmap script designed to detect CVE-2020-8515, a remote code execution vulnerability affecting Draytek devices. The script is likely used for scanning and identifying vulnerable systems rather than exploiting them.

Classification

Scanner 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Draytek devices (specific versions not specified)

No auth needed

Prerequisites: Nmap installed · Network access to target devices

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

DrayTek - Remote Code Execution

CRITICALby pikpikcu

References (4)

Core 4

Core References

Permissions Required, Third Party Advisory x_refsource_misc

https://sku11army.blogspot.com/2020/01/draytek-unauthenticated-rce-in-draytek.html

Vendor Advisory x_refsource_misc

https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-router-web-management-page-vulnerability-%28cve-2020-8515%29/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/156979/DrayTek-Vigor2960-Vigor3900-Vigor300B-Remote-Command-Execution.html

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-8515

Scores

CVSS v3 9.8

EPSS 0.9432

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2020-04-03

InTheWild.io 2020-03-27

ENISA EUVD EUVD-2020-29381

CWE

CWE-78

Status published

Products (5)

draytek/vigor2960_firmware 1.3.1 beta

draytek/vigor300b_firmware 1.3.3 beta

draytek/vigor300b_firmware 1.4.2.1 beta

draytek/vigor300b_firmware 1.4.4 beta

draytek/vigor3900_firmware 1.4.4 beta

Published Feb 01, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026