Cyber Resilience

CVE-2020-15415

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 30 June 2020

Published
30 June 2020
Modified
07 November 2025
KEV Added
30 September 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9300 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-15415 is a critical-severity OS Command Injection (CWE-78) vulnerability in Draytek Vigor3900 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-15415 is an OS command injection vulnerability (CWE-78) affecting DrayTek Vigor3900, Vigor2960, and Vigor300B devices running firmware prior to 1.5.1. The flaw resides in the cgi-bin/mainfunction.cgi/cvmcfgupload endpoint, which fails to sanitize filenames containing shell metacharacters when the Content-Type header is set to text/x-python-script. This issue is distinct from the related CVE-2020-14472.

Unauthenticated attackers with network access can exploit the vulnerability by sending a crafted HTTP request that triggers arbitrary command execution on the device. Successful exploitation grants full control over the affected appliance, allowing attackers to read or modify data, alter device configuration, or disrupt availability, consistent with the CVSS 9.8 rating reflecting no required privileges or user interaction.

DrayTek's security advisory recommends upgrading to firmware version 1.5.1 or later to remediate the flaw. The vulnerability is also tracked in CISA's Known Exploited Vulnerabilities catalog, and public proof-of-concept material is available from the CLP-team repository documenting the command-injection technique.

EU & UK References

Vulnerability details

On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472.

CWE(s)
KEV Date Added
30 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

draytek
vigor3900 firmware
≤ 1.5.1
draytek
vigor2960 firmware
≤ 1.5.1
draytek
vigor300b firmware
≤ 1.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input such as HTTP filenames and Content-Type values to block shell metacharacters that enable command injection.

prevent

Mandates prompt application of firmware patches (to 1.5.1+) that eliminate the cvmcfgupload command-injection flaw before exploitation.

prevent

Enforces boundary protections (e.g., interface ACLs or WAF rules) that can block unauthenticated network access to the vulnerable CGI endpoint.

References