CVE-2023-1009
Published: 24 February 2023
Summary
CVE-2023-1009 is a medium-severity Path Traversal (CWE-22) vulnerability in Draytek Vigor2960 Firmware. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 12.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-1009 is a path traversal vulnerability, tracked as CWE-22, that affects the web management interface of the DrayTek Vigor 2960 router running firmware versions 1.5.1.4 and 1.5.1.5. The flaw resides in the sub_1DF14 function within /cgi-bin/mainfunction.cgi, where the "option" argument can be supplied with a traversal sequence such as "/../etc/passwd" to access files outside the intended directory. The issue was reported against an unsupported product line and carries a CVSS 3.1 score of 6.5.
An authenticated remote attacker with low privileges can send a crafted HTTP request to the web interface and retrieve sensitive files from the device, resulting in disclosure of confidential information such as system credentials. No user interaction is required, and a public exploit has been made available.
The listed references consist of a proof-of-concept disclosure and Vuldb entries; they contain no vendor advisory or patch information because the affected firmware is explicitly unsupported. The EPSS score rose from a low baseline to a peak of 0.0576 before receding to its current value of 0.0345, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23301
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is the function sub_1DF14 of the file /cgi-bin/mainfunction.cgi of the component Web Management Interface. The manipulation of the argument option with…
more
the input /../etc/passwd- leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-221742 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.