CVE-2022-50994

CRITICAL

CVE-2022-50994 DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi

Details

CVSS v3: 8.1
CVSS v4: 9.2
NVD published: 2026-05-08 13:16:34
Affected versions: DrayTek Vigor 2960 firmware < 1.5.1.4
Summary: This critical vulnerability exists in the CGI login handler of widely deployed DrayTek Vigor 2960 enterprise routers. Unsanitized input to the formpassword parameter allows remote attackers to inject arbitrary OS commands, leading to full remote code execution with web server privileges. Exploitation only requires a valid username and enabled MOTP authentication on the target account.
Remediation: Upgrade all affected DrayTek Vigor 2960 devices to firmware version 1.5.1.4 or newer immediately. Disable MOTP authentication for any accounts that do not require it until patching is complete. Restrict remote management access to trusted IP addresses to reduce exposure.
Exploit info: No public exploit found yet.

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.