Cyber Resilience

CVE-2021-20124

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 13 October 2021

Published
13 October 2021
Modified
03 November 2025
KEV Added
03 September 2024
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9356 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-20124 is a high-severity Path Traversal (CWE-22) vulnerability in Draytek Vigorconnect. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A local file inclusion vulnerability exists in Draytek VigorConnect version 1.6.0-B3 within the file download functionality of the WebServlet endpoint. The flaw, tracked as CWE-22, permits path traversal that exposes arbitrary files on the underlying operating system. It carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and no required authentication or user interaction, resulting in high confidentiality impact.

An unauthenticated remote attacker can send crafted requests to the WebServlet endpoint and retrieve any file readable by the root user, enabling theft of configuration data, credentials, or other sensitive system content without authentication.

The issue appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation, and is detailed in Tenable research disclosure TRA-2021-42. No vendor patch or mitigation guidance is provided in the available references.

EU & UK References

Vulnerability details

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

CWE(s)
KEV Date Added
03 September 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

draytek
vigorconnect
1.6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates file path inputs in the WebServlet download function to block path traversal sequences that enable arbitrary file reads.

prevent

Enforces authorization checks on the unauthenticated WebServlet endpoint so that file download requests cannot succeed without proper access approval.

prevent

Limits the web service to the minimum privileges required, reducing the set of readable files an attacker can reach even if path traversal succeeds.

References