Skip to main content
All vulnerabilities
CVE-2021-20124

Draytek VigorConnect Path Traversal Vulnerability

DrayTekVigorConnect

Added to KEV catalog
3 September 2024
Federal remediation due date
24 September 2024
Weakness classification (CWE)
CWE-22

CISA Description

Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Required action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Notes

https://www.draytek.com/about/security-advisory/vigorconnect-software-security-vulnerability-(cve-2021-20123-cve-2021-20129); https://nvd.nist.gov/vuln/detail/CVE-2021-20124

Confirm Your Exposure

Is this vulnerability present in your environment?

CRS delivers independent VAPT assessments that identify exactly which known-exploited vulnerabilities exist in your network, applications, and infrastructure.

Explore VAPT Services