Cyber Resilience

CVE-2020-8515

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 01 February 2020

Published
01 February 2020
Modified
07 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9432 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-8515 is a critical-severity OS Command Injection (CWE-78) vulnerability in Draytek Vigor300B Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2020-8515 is an unauthenticated remote code execution vulnerability in the web management interface of DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices. The flaw stems from improper handling of shell metacharacters passed to the cgi-bin/mainfunction.cgi endpoint, enabling command injection and resulting in root-level code execution on the affected routers. It is tracked under CWE-78 and carries a CVSS 3.1 base score of 9.8.

An attacker with network access to the management interface can send a crafted HTTP request containing shell metacharacters to the vulnerable CGI script. Because no authentication is required, successful exploitation grants immediate root privileges, allowing arbitrary command execution, configuration changes, or full device compromise.

DrayTek's security advisory states that the issue has been resolved in firmware version 1.5.1 for the Vigor3900, Vigor2960, and Vigor300B series; administrators are advised to apply the update promptly to eliminate the injection vector. Public exploit code and technical write-ups have been published, confirming the attack's practicality against unpatched beta releases.

EU & UK References

Vulnerability details

DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI. This issue has been fixed in Vigor3900/2960/300B v1.5.1.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

draytek
vigor2960 firmware
1.3.1
draytek
vigor300b firmware
1.3.3, 1.4.2.1, 1.4.4
draytek
vigor3900 firmware
1.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted input to the cgi-bin/mainfunction.cgi endpoint, blocking shell metacharacter injection.

prevent

Enforces authentication and authorization checks before any request to the management CGI is processed, eliminating the unauthenticated root execution path.

prevent

Mandates prompt application of the vendor firmware update (v1.5.1) that removes the command-injection flaw in the affected DrayTek devices.

References