CVE-2020-8515 is an unauthenticated command injection vulnerability in DrayTek Vigor2960, Vigor3900, and Vigor300B devices running affected beta firmware versions. The flaw is present in the web management CGI endpoint mainfunction.cgi, where insufficient neutralization of shell metacharacters allows attacker-controlled input to be interpreted by the underlying system shell. A remote attacker can send crafted requests to the CGI handler without authentication and cause arbitrary commands to execute with root privileges on the device. Because exploitation occurs in a privileged management component, successful compromise can result in full device takeover.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a proof-of-concept exploit for CVE-2020-8515, a remote command injection vulnerability affecting Draytek Vigor routers (models 2960, 3900, 300B). The main exploit script, 'draytek.py', is a Python script that targets the router's web management interface, specifically the '/cgi-bin/mainfunction.cgi' endpoint. It sends a crafted POST request to this endpoint, injecting arbitrary shell commands via the 'keyPath' parameter. The script first probes the target by attempting to read '/etc/passwd' to check for vulnerability, then executes further commands (e.g., 'uname -a') if the target is confirmed vulnerable. The exploit can be easily modified to execute more complex payloads, such as downloading and running a reverse shell. The repository also includes a README.md with usage instructions, example output, and notes on extending the exploit. The exploit is operational and demonstrates remote code execution, but is not weaponized or part of a larger framework.
This repository contains an Nmap NSE script (http-draytek-rce.nse) designed to detect and exploit CVE-2020-8515, a pre-authentication remote code execution vulnerability affecting DrayTek Vigor2960, Vigor3900, and Vigor300B routers with specific firmware versions. The script first checks if the target is a DrayTek device, then safely tests for the vulnerability by injecting a unique string via a POST request to /cgi-bin/mainfunction.cgi. If the device is confirmed vulnerable, the script exploits the flaw to execute 'cat /etc/passwd', dumping the contents of the password file to demonstrate code execution as root. The repository also includes a README.md briefly describing the script's purpose. The main attack vector is network-based, targeting the web management interface of affected routers. The script is operational, providing both detection and exploitation capabilities.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A specific CVE included in TuxBot's exploit VM package, but the VM is broken so the exploit package never executes in the analyzed version.
A command injection vulnerability in DrayTek Vigor devices that allows remote attackers to execute arbitrary commands via the mainfunction.cgi interface.
Unknown (listed as exploited by AIRASHI; no additional details provided in the content).
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.