Description
DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.
Published: 2026-05-08
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DrayTek Vigor 2960 firmware before version 1.5.1.4 contains an OS command injection flaw in the CGI login handler. The vulnerability allows an unauthenticated attacker to inject shell metacharacters into the formpassword field, which is unsanitized and passed to an otp_check.sh script. If exploited, arbitrary commands may be executed with web server privileges, leading to complete compromise of the device. This flaw is a classic input validation weakness identified as CWE-78.

Affected Systems

The affected product is the DrayTek Vigor 2960 series network device. Firmware versions earlier than 1.5.1.4 are vulnerable. No other firmware releases or product lines are listed as impacted.

Risk and Exploitability

The CVSS score of 9.2 classifies the issue as critical. EPSS data is not available, and the vulnerability has not been recorded in the CISA KEV catalog, implying no currently known exploitation in the wild. However, the attack requires only knowledge of a valid username and that the target account has multi‑factor OTP enabled, which is often common. The bearer leverages the web interface from any network reachable to the device, making the attack vector remote and accessible over standard protocols.

Generated by OpenCVE AI on May 8, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to firmware version 1.5.1.4 or later from DrayTek's official download site.
  • If immediate firmware update is not possible, disable OTP multi‑factor authentication for administrative accounts to remove the vulnerable execution path.
  • Restrict management interface access to a dedicated VLAN or apply firewall rules so that only authorized management traffic reaches the device from trusted subnets.

Generated by OpenCVE AI on May 8, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Draytek
Draytek vigor 2960
Vendors & Products Draytek
Draytek vigor 2960

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.
Title DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Draytek Vigor 2960
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-08T13:58:11.141Z

Reserved: 2026-04-29T21:00:57.895Z

Link: CVE-2022-50994

cve-icon Vulnrichment

Updated: 2026-05-08T13:58:07.001Z

cve-icon NVD

Status : Deferred

Published: 2026-05-08T13:16:34.150

Modified: 2026-05-08T15:48:43.467

Link: CVE-2022-50994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T15:15:10Z

Weaknesses