DrayTek Vigor 2960 RCE: Unauthenticated OS Command Injection

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-78
DrayTek Vigor 2960 RCE: Unauthenticated OS Command Injection

The National Vulnerability Database (NVD) reports CVE-2022-50994, an OS command injection vulnerability in DrayTek Vigor 2960 firmware versions prior to 1.5.1.4. This high-severity flaw (CVSS 8.1) allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter of the CGI login handler. Attackers exploit unsanitized input passed to the otp_check.sh script, leading to remote code execution with web server privileges.

Crucially, exploitation requires knowledge of a valid username and that the target account has Multi-Factor Authentication (MOTP) enabled. While this adds a hurdle, it doesn’t diminish the severity. An attacker who has already compromised user credentials, or can guess common ones, can chain this with the MOTP requirement to gain full remote command execution. This is a critical vector for network perimeter devices.

This vulnerability underscores the importance of rigorous input validation, especially in authentication mechanisms and scripts executed with elevated privileges. For defenders, this is a clear indication that perimeter devices are constant targets and require immediate patching and vigilant monitoring for suspicious activity, even when seemingly minor authentication details are involved.

What This Means For You

  • If your organization uses DrayTek Vigor 2960 routers, immediately verify your firmware version. Patch to 1.5.1.4 or higher without delay. Even if MOTP is not widely deployed, assume an attacker could leverage compromised credentials to meet the exploitation criteria. Prioritize patching and scrutinize logs for any unusual access attempts or command execution on these devices.

Indicators of Compromise

IDTypeIndicator
CVE-2022-50994 Command Injection DrayTek Vigor 2960 firmware < 1.5.1.4
CVE-2022-50994 RCE CGI login handler, formpassword parameter
CVE-2022-50994 Command Injection otp_check.sh script

Written by SCW Vulnerability Desk

🔎
DrayTek Vigor Vulnerability Brief Use /brief to get an analyst-ready summary of high-severity vulnerabilities like CVE-2022-50994.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma