Home / Vulnerabilities / CVE-2021-20124
HIGH SEVERITY
CVE-2021-20124 DrayTek · VigorConnect

Draytek VigorConnect Path Traversal Vulnerability

Technical Severity

CVSS v3.1 Metrics

HIGH
7.5 / 10
Minimal Risk Critical
Vector Specification
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitation Likelihood

EPSS Prediction

94.06 %
Predictive Probability
Percentile Rank
99.9 th

Documented as more likely to be exploited than 99.9% of known CVEs.

Detection Date

Sep 03, 2024

Remediation Due

Sep 24, 2024

CISA Catalog Active

Threat Analysis

Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Remediation Directive

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

External Intelligence

https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129)

https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129)
NVD

National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2021-20124