CVE-2021-20124
Published: 13 October 2021
Summary
CVE-2021-20124 is a high-severity Path Traversal (CWE-22) vulnerability in Draytek Vigorconnect. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A local file inclusion vulnerability exists in Draytek VigorConnect version 1.6.0-B3 within the file download functionality of the WebServlet endpoint. The flaw, tracked as CWE-22, permits path traversal that exposes arbitrary files on the underlying operating system. It carries a CVSS 3.1 score of 7.5 with network attack vector, low complexity, and no required authentication or user interaction, resulting in high confidentiality impact.
An unauthenticated remote attacker can send crafted requests to the WebServlet endpoint and retrieve any file readable by the root user, enabling theft of configuration data, credentials, or other sensitive system content without authentication.
The issue appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation, and is detailed in Tenable research disclosure TRA-2021-42. No vendor patch or mitigation guidance is provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7581
Vulnerability details
A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.
- CWE(s)
- KEV Date Added
- 03 September 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates file path inputs in the WebServlet download function to block path traversal sequences that enable arbitrary file reads.
Enforces authorization checks on the unauthenticated WebServlet endpoint so that file download requests cannot succeed without proper access approval.
Limits the web service to the minimum privileges required, reducing the set of readable files an attacker can reach even if path traversal succeeds.