CVE-2023-1162
Published: 03 March 2023
Summary
CVE-2023-1162 is a high-severity Command Injection (CWE-77) vulnerability in Draytek Vigor 2960 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-1162 is a command injection vulnerability, tracked under CWE-77, that affects the web management interface of the DrayTek Vigor 2960 router in firmware versions 1.5.1.4 and 1.5.1.5. The flaw resides in an unknown function within the mainfunction.cgi file, where unsanitized input to the password argument can be manipulated to execute arbitrary commands. The issue was assigned a CVSS v3.1 score of 7.2 and is explicitly noted as unsupported when assigned, applying only to products no longer maintained by the vendor.
An attacker with high privileges can exploit the vulnerability remotely over the network to inject and execute operating system commands, resulting in full compromise of confidentiality, integrity, and availability on the affected device. Public disclosure of the exploit code increases the feasibility of targeted attacks against exposed management interfaces.
No vendor patches or official mitigations are available because the affected firmware versions are unsupported. Security practitioners are advised to retire or isolate these devices, restrict administrative interface access, and migrate to currently supported DrayTek hardware.
The EPSS score rose from a low baseline to a peak of 0.4146 on 2026-01-13 before receding to the current value of 0.2432, indicating a measurable increase in exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23444
Vulnerability details
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in DrayTek Vigor 2960 1.5.1.4/1.5.1.5. Affected is an unknown function of the file mainfunction.cgi of the component Web Management Interface. The manipulation of the argument password…
more
leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-222258 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.