External risk intelligence

DrayTek Vigor 2960 allows attackers to take control of your network equipment

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2022-50994

A critical flaw in DrayTek Vigor 2960 network gateways allows remote attackers to run any commands they want, potentially taking control of your network equipment. This requires basic credentials but could expose your entire network.

5Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2022-50994

The vulnerability affects the login handler of a network gateway. These devices are typically positioned at the network edge, and their management interfaces are frequently exposed to the public internet to facilitate remote administration, making them highly reachable in standard deployments.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This issue allows attackers to execute arbitrary commands on DrayTek Vigor 2960 network gateways. This could lead to unauthorized control and compromise of network security.

  • Attackers can exploit this remotely.
  • It impacts network gateways.
  • Knowledge of a username is needed.

Attack Path

How an attacker could exploit the issue

An unauthenticated remote attacker could exploit this by sending specially crafted input to the login page. If successful, they could execute arbitrary commands on the device with web server privileges. This requires knowing a username and that MOTP authentication is enabled for that account.

  • Targets unauthenticated remote attackers.
  • Exploits CGI login handler.
  • Requires valid username and MOTP.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on DrayTek Vigor 2960 devices. Attackers are likely to target this because it provides direct command execution on a device often exposed to the internet. However, exploitation requires knowledge of valid usernames and that MOTP authentication is enabled, which may limit widespread weaponization.

  • Exploitation requires specific conditions.
  • No public exploit code observed.
  • No KEV listing signal.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected DrayTek Vigor 2960 devices to version 1.5.1.4 or later to address the critical OS command injection vulnerability. If immediate patching is not feasible, isolate these devices from the network and restrict access to authenticated users with MOTP enabled.

  • Update firmware to 1.5.1.4 or newer.
  • Isolate affected devices from network.
  • Monitor for suspicious login attempts.

Frequently asked questions

What is the DrayTek Vigor 2960 and its relevance to network security?

The DrayTek Vigor 2960 is a network gateway device used for managing and securing network traffic, often serving as a firewall and router for businesses. Its position at the network edge makes vulnerabilities in its firmware a significant concern for network security.

What is CVE-2022-50994 and what weakness class does it relate to?

CVE-2022-50994 is a critical OS command injection vulnerability (CWE-78) found in DrayTek Vigor 2960 firmware versions prior to 1.5.1.4. It allows attackers to execute arbitrary commands on the device.

How can an attacker exploit the CVE-2022-50994 vulnerability?

An attacker can exploit this by injecting shell metacharacters into the 'formpassword' parameter of the CGI login handler. This requires knowledge of a valid username and that the target account has MOTP authentication enabled, allowing remote code execution with web server privileges.

How likely is exploitation of CVE-2022-50994, and what is its significance?

Exploitation is considered very likely due to the device's typical placement at network perimeters, making it reachable. The vulnerability allows direct command execution on a critical network device, significantly impacting its security. [cite: haloSurfaceSignal]

What is the recommended action for DrayTek Vigor 2960 devices affected by CVE-2022-50994?

The primary recommendation is to update the DrayTek Vigor 2960 firmware to version 1.5.1.4 or later. If immediate patching is not possible, isolating the affected devices from the network and restricting access is advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished