CVE-2026-3040
Published: 23 February 2026
Summary
CVE-2026-3040 is a medium-severity Command Injection (CWE-77) vulnerability in Draytek Vigor300B Firmware. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-3040 is an OS command injection vulnerability in DrayTek Vigor 300B routers running firmware versions up to 1.5.1.6. It affects the cgiGetFile function within the /cgi-bin/mainfunction.cgi/uploadlangs endpoint of the Web Management Interface, where manipulation of the File argument enables command injection. The issue is classified under CWE-77 (Command Injection) and CWE-78 (OS Command Injection), with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
An authenticated remote attacker with high privileges, such as administrative access to the Web Management Interface, can exploit this vulnerability over the network with low complexity. Successful exploitation allows injection and execution of arbitrary operating system commands, potentially leading to limited impacts on confidentiality, integrity, and availability, as reflected in the CVSS metrics.
Advisories from sources like VulDB and a GitHub issue tracker confirm the vulnerability, noting that a public exploit is available and may be in use. The vendor has stated that the Vigor 300B is end-of-life (EoL) and will not receive a patch, emphasizing that this is an authenticated issue affecting only unsupported products.
In context, this vulnerability highlights risks in legacy network devices, where public exploits increase the likelihood of targeted attacks on unpatched, EoL hardware still in use.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7476
Vulnerability details
A vulnerability was identified in DrayTek Vigor 300B up to 1.5.1.6. This affects the function cgiGetFile of the file /cgi-bin/mainfunction.cgi/uploadlangs of the component Web Management Interface. The manipulation of the argument File leads to os command injection. The attack may…
more
be initiated remotely. The exploit is publicly available and might be used. The vendor confirms that "300B is EoL, and this is an authenticated vulnerability. We don't plan to fix it." This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in exposed web management interface directly enables exploitation of public-facing application for initial device access (T1190) and arbitrary command execution on network device (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input (the File argument) to block OS command injection at the uploadlangs endpoint.
Limits administrative privileges on the Web Management Interface so that only the minimum accounts needed can reach the vulnerable cgiGetFile function.
Mandates explicit handling or replacement of EoL/unsupported components such as the Vigor 300B firmware that will never receive a patch.