Cyber Resilience

CVE-2023-1009

MediumPublic PoC

Published: 24 February 2023

Published
24 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0345 87.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1009 is a medium-severity Path Traversal (CWE-22) vulnerability in Draytek Vigor2960 Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 12.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-1009 is a path traversal vulnerability, tracked as CWE-22, that affects the web management interface of the DrayTek Vigor 2960 router running firmware versions 1.5.1.4 and 1.5.1.5. The flaw resides in the sub_1DF14 function within /cgi-bin/mainfunction.cgi, where the "option" argument can be supplied with a traversal sequence such as "/../etc/passwd" to access files outside the intended directory. The issue was reported against an unsupported product line and carries a CVSS 3.1 score of 6.5.

An authenticated remote attacker with low privileges can send a crafted HTTP request to the web interface and retrieve sensitive files from the device, resulting in disclosure of confidential information such as system credentials. No user interaction is required, and a public exploit has been made available.

The listed references consist of a proof-of-concept disclosure and Vuldb entries; they contain no vendor advisory or patch information because the affected firmware is explicitly unsupported. The EPSS score rose from a low baseline to a peak of 0.0576 before receding to its current value of 0.0345, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as critical has been found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is the function sub_1DF14 of the file /cgi-bin/mainfunction.cgi of the component Web Management Interface. The manipulation of the argument option with…

more

the input /../etc/passwd- leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-221742 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

draytek
vigor2960 firmware
1.5.1.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References