CVE-2023-24229

HIGH EXPLOITED IN THE WILD

DrayTek Vigor2960 v1.5.1.4 - Command Injection

Title source: llm

Exploitation Summary

CVE-2023-24229 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

DrayTek Vigor2960 v1.5.1.4 allows an authenticated attacker with network access to the web management interface to inject operating system commands via the mainfunction.cgi 'parameter' parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References (6)

Core 6

Core References

Various Sources

https://web.archive.org/web/20230315181013/https://github.com/sadwwcxz/Vul

Various Sources

https://www.draytek.co.uk/support/guides/kb-remotemanagement

Various Sources

https://www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2960

Various Sources

https://www.draytek.com/support/knowledge-base/5465

Exploit, Third Party Advisory

https://github.com/sadwwcxz/Vul

Not Applicable

https://www.draytek.com/

Scores

CVSS v3 7.8

EPSS 0.0672

EPSS Percentile 93.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-09-18

InTheWild.io 2024-09-18

CWE

CWE-77 CWE-78

Status published

Products (1)

draytek/vigor2960_firmware 1.5.1.4

Published Mar 15, 2023

Tracked Since Feb 18, 2026