Home / Vulnerabilities / CVE-2021-20123
HIGH SEVERITY
CVE-2021-20123 DrayTek · VigorConnect

Draytek VigorConnect Path Traversal Vulnerability

Technical Severity

CVSS v3.1 Metrics

HIGH
7.5 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitation Likelihood

EPSS Prediction

93.99 %
Predictive Probability
Percentile Rank
99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

Sep 03, 2024

Remediation Due

Sep 24, 2024

CISA Catalog Active

Threat Analysis

Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

External Intelligence

https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129)

https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129)
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2021-20123