CVE-2020-15415 — DrayTek Multiple Vigor Routers OS Command Injection Vulnerability

CVE-2020-15415

DrayTek Vigor Routers — Unauthenticated OS Command Injection via File Upload

What are DrayTek Vigor Routers?

DrayTek Vigor routers are enterprise-grade VPN and WAN routers widely deployed by small-to-medium businesses and managed service providers (MSPs) for site-to-site VPN, SD-WAN, and multi-WAN failover. The Vigor3900, Vigor2960, and Vigor300B are high-capacity models designed for enterprise branches and central offices, often directly internet-facing to support VPN tunnels. Their management interfaces are frequently internet-accessible, making them a persistent target for initial access brokers and nation-state actors.

Overview

CVE-2020-15415 is an unauthenticated OS command injection vulnerability (CWE-78) in the file upload handler of DrayTek Vigor3900, Vigor2960, and Vigor300B enterprise routers. An attacker can send a crafted HTTP POST request to the CGI endpoint with shell metacharacters embedded in a filename parameter, achieving remote code execution without any credentials. The vulnerability was published in June 2020 but added to CISA's KEV catalog in September 2024, reflecting renewed active exploitation against enterprise networks years after the initial disclosure.

Affected Versions

Product Vulnerable Firmware Fixed Firmware
Vigor3900 < 1.3.3 1.3.3+
Vigor2960 < 1.5.1 1.5.1+
Vigor300B < 1.5.1 1.5.1+

Technical Details

The vulnerability exists in the /cgi-bin/mainfunction.cgi/cvmcfgupload endpoint, which handles configuration file uploads. The CGI handler passes a user-supplied filename parameter to a shell command without sanitization. By specifying a filename containing shell metacharacters (such as ; command ; or backtick sequences), an attacker can inject arbitrary OS commands that execute with the privileges of the web server process — typically root on embedded router firmware.

The exploit requires sending a multipart HTTP POST request with the Content-Type: text/x-python-script header and embedding the command injection payload in the filename field of the multipart body. The text/x-python-script content type triggers the vulnerable code path in the CGI handler. No authentication cookie, session token, or prior access is required.

Discovery

The vulnerability was discovered and disclosed by security researchers in June 2020 alongside DrayTek's advisory. The late addition to CISA KEV (September 2024 — over four years after disclosure) indicates that unpatched Vigor routers remained in production at scale and were actively targeted in 2024 intrusion campaigns.

Exploitation Context

CISA added CVE-2020-15415 to the KEV catalog on September 30, 2024, with a tight 21-day remediation window, signaling confirmed active exploitation in that timeframe. DrayTek routers have been a consistent target: in 2024, a large-scale botnet campaign (tracked by Black Lotus Labs and others) compromised thousands of end-of-life DrayTek devices as SOHO router infrastructure, using a combination of older unpatched CVEs. Many organizations running affected Vigor3900/2960/300B models had not applied the 2020 firmware updates.

Remediation

  1. Upgrade firmware: Apply firmware 1.3.3+ (Vigor3900) or 1.5.1+ (Vigor2960/300B) from DrayTek's download portal.
  2. Disable remote management if unused: Turn off web management access from the WAN interface in the router's admin UI — most deployments do not require internet-accessible management.
  3. Access control lists: Restrict the management interface to known IP ranges via ACL if remote management is required.
  4. Check for compromise: Review the router's admin accounts and firewall rules for unauthorized changes; look for unexpected outbound connections in traffic logs.
  5. End-of-life models: If running hardware that no longer receives firmware updates, plan for replacement — attackers specifically target EOL devices that cannot be patched.

Key Details

PropertyValue
CVE ID CVE-2020-15415
Vendor / Product DrayTek — Multiple Vigor Routers
NVD Published2020-06-30
NVD Last Modified2025-11-07
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2024-09-30
CISA KEV Deadline2024-10-21
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2024-10-21. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2020-06-30CVE-2020-15415 published; DrayTek issues security advisory
2024-09-30Added to CISA Known Exploited Vulnerabilities catalog
2024-10-21CISA BOD 22-01 remediation deadline