DrayTek Vigor 2960 OS Command Injection Flaw Allows Unauthenticated

Executive Summary

DrayTek has released firmware version 1.5.1.4 for the Vigor 2960 router to address CVE-2022-50994, an unauthenticated OS command injection vulnerability in the device's CGI login handler. The flaw, assigned a CVSS score of 8.1 (High), allows remote attackers to execute arbitrary commands on the underlying operating system by injecting shell metacharacters into the formpassword parameter of the login page. According to the vendor's advisory, the vulnerable input is passed unsanitized to the otp_check.sh script, enabling command execution with the privileges of the web server process. No public proof-of-concept exploit has been confirmed at the time of writing, but the attack surface — unauthenticated access to the login interface — makes this a high-priority patch for any organization using the Vigor 2960 as an edge router or VPN gateway.

Technical Analysis

The vulnerability resides in the CGI binary that handles HTTP POST requests to the router's login endpoint. Specifically, the formpassword field is incorporated into a shell command executed by otp_check.sh without proper sanitization or escaping. An attacker who can reach the router's management interface (typically on TCP port 80 or 443) can inject shell metacharacters such as semicolons, backticks, or pipe symbols to append arbitrary commands.

DrayTek's advisory states that the issue affects all Vigor 2960 firmware versions prior to 1.5.1.4. The router is commonly deployed in small-to-medium business environments and branch offices as a multi-WAN VPN router. The management interface is often exposed to the local LAN, but in misconfigured deployments may be accessible from the WAN side, dramatically increasing the risk of exploitation.

Successful exploitation yields remote code execution with the privileges of the web server — typically root on embedded Linux firmware, as many router vendors run the web interface with elevated permissions. From that foothold, an attacker could install persistent backdoors, pivot to internal networks, intercept VPN traffic, or modify routing tables.

This vulnerability was originally disclosed in 2022 but has only recently been fully documented in the NVD with a CVSS v3.1 base score of 8.1. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) confirms that exploitation requires no authentication, no user interaction, and no special access conditions — only network reachability to the router's web interface.

Mitigations & Recommendations

Organizations using DrayTek Vigor 2960 routers should upgrade to firmware version 1.5.1.4 or later immediately. The firmware is available from DrayTek's support download page. If immediate patching is not possible, administrators should restrict access to the router's web management interface to trusted IP addresses only, using firewall rules or access control lists. Disabling remote management (WAN-side access) is strongly advised unless absolutely necessary. Network segmentation should ensure that the router's management interface is not reachable from untrusted networks, including guest Wi-Fi segments. Monitoring logs for unusual shell metacharacters in login attempts may provide early detection of scanning or exploitation attempts.