Cyber Resilience

CVE-2021-20123

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 October 2021

Published
13 October 2021
Modified
03 November 2025
KEV Added
03 September 2024
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9349 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20123 is a high-severity Path Traversal (CWE-22) vulnerability in Draytek Vigorconnect. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-20123 is a path traversal vulnerability, tracked as CWE-22, that affects Draytek VigorConnect version 1.6.0-B3. The flaw exists in the DownloadFileServlet endpoint used for file downloads and permits access to arbitrary files on the underlying operating system.

An unauthenticated remote attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants the ability to read arbitrary files with root privileges, producing a high confidentiality impact consistent with the assigned CVSS 3.1 score of 7.5.

The vulnerability appears in CISA's Known Exploited Vulnerabilities catalog and is detailed in Tenable research advisory TRA-2021-42, confirming that mitigation should follow vendor guidance for upgrading or restricting access to the affected endpoint.

EU & UK References

Vulnerability details

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

CWE(s)
KEV Date Added
03 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

draytek
vigorconnect
1.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file path inputs to the DownloadFileServlet, blocking the path traversal (CWE-22) that enables arbitrary file reads.

prevent

Enforces access control policy on the DownloadFileServlet endpoint so that unauthenticated remote requests cannot retrieve OS files with root privileges.

prevent

Boundary protection mechanisms can restrict or filter network traffic to the vulnerable servlet, limiting exposure to unauthenticated attackers.

References