33 matches found
CVE-2025-10547
An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption...
EUVD-2025-32290
Malicious code in bioql PyPI...
CVE-2025-10547
An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption...
CVE-2025-10547
CVE-2025-10547 affects DrayTek Vigor Routers running DrayOS. An uninitialized variable in the HTTP CGI request arguments processing component can cause memory corruption, enabling remote code execution (RCE). Impact, per sources, includes unauthenticated attacker access via LAN or WAN (if EasyVPN...
CVE-2025-10547 CVE-2025-10547
An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption...
CVE-2025-10547 CVE-2025-10547
An uninitialized variable in the HTTP CGI request arguments processing component of Vigor Routers running DrayOS may allow an attacker the ability to perform RCE on the appliance through memory corruption...
Vigor routers running DrayOS are vulnerable to RCE via EasyVPN and LAN web administration interface
Overview A remote code execution RCE vulnerability was discovered through the EasyVPN and LAN web administration interface of Vigor routers by Drayteck. A script in the LAN web administration interface uses an unitialized variable, allowing an attacker to inject arbitrary commands through memory...
PT-2025-40432
Name of the Vulnerable Software and Affected Versions DrayOS routers versions prior to the fixed firmware. Description A flaw exists in the HTTP CGI request arguments processing component of DrayOS routers, potentially allowing an attacker to execute code remotely RCE through memory corruption...
CVE-2023-33778
Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their o...
CISA Adds Three Known Exploited Vulnerabilities to Catalog
Updated June 5, 2025 CISA is continually collaborating with partners across government and the private sector. Through this collaboration, CISA learned that CVE-2025-4664 has not been exploited and there is insufficient evidence to keep this CVE on the KEV and that the best course of action is to...
DrayTek Vigor Routers OS Command Injection Vulnerability
DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface...
CVE-2024-51139
The CVE-2024-51139 entry describes a Buffer Overflow in DrayTek/Vigor devices where the CGI parser mishandles the Content-Length header of HTTP POST requests, enabling potential remote arbitrary-code execution. Affected devices and versions include Vigor2620/LTE200 up to 3.9.8.9 and earlier, Vigo...
VulnCheck KEV: CVE-2024-12987
DrayTek Vigor2960, Vigor300B, and Vigor3900 routers contain an OS command injection vulnerability due to an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component web management interface...
The vulnerability in the inetipv6.cgi web interface of the DrayTek Vigor router software allows a attacker to trigger a Denial-of-Service Attack (DoS).
The vulnerability in the SSLapp.cgi web interface of the DrayTek Vigor router software lies in the overflow of buffers on the stack during the processing of the sIpv6AiccuUser parameter. Exploiting this vulnerability allows a remote attacker to trigger a Denial-of-Service attack...
The vulnerability of the web interface of Draytek Vigor routers, Draytek Vigor access points, Draytek Vigor switches, and the cloud platform Draytek Vigor Myvigor arises from the use of rigidly encrypted credentials. This allows attackers to compromise the confidentiality, integrity, and accessibility of protected information.
The vulnerability of the web interface of Draytek Vigor routers, Draytek Vigor access points, Draytek Vigor switches, and the cloud platform Draytek Vigor Myvigor is related to the use of rigidly encrypted login credentials. Exploiting this vulnerability allows a malicious actor to compromise the...
The vulnerability in the mainfunction.cgii web interface of DrayTek Vigor software allows a hacker to execute arbitrary code.
The vulnerability in the mainfunction.cgii web interface of the DrayTek Vigor router software exists due to the lack of measures taken to clean data at the control level. Exploiting this vulnerability allows an attacker operating remotely to execute arbitrary code...
The vulnerability of the set_ap_map_config() function in the mainfunction.cgi script of the DrayTek Vigor 3900, Vigor 2960, and Vigor 300B router microprogramming system allows a hacker to execute arbitrary commands.
The vulnerability of the setapmapconfig function in the mainfunction.cgi script of the DrayTek Vigor 3900, Vigor 2960, and Vigor 300B routers relates to the failure to eliminate the and & elements used in the operating system’s command when processing the action parameter. Exploiting this...
The vulnerability of the doOpenVPN() function in the mainfunction.cgi script of the DrayTek Vigor 3900, Vigor 2960, and Vigor 300B routers allows a hacker to execute arbitrary commands.
The vulnerability of the doOpenVPN function in the mainfunction.cgi script of the DrayTek Vigor 3900, Vigor 2960, and Vigor 300B routers is related to the failure to eliminate the and & elements used in the operating system’s command when processing the action parameter. Exploiting this...
Vulnerabilities fixed in Draytek Vigor routers
Draytek has fixed vulnerabilities in several types of Vigor series routers. A malicious party could exploit the vulnerabilities to cause a Denial-of-Service, or perform a Cross-Site-Scripting attack, potentially gaining access to sensitive data or executing arbitrary code in the context of the...
CVE-2023-33778
Draytek Vigor Routers firmware versions below 3.9.6/4.2.4, Access Points firmware versions below v1.4.0, Switches firmware versions below 2.6.7, and Myvigor firmware versions below 2.3.2 were discovered to use hardcoded encryption keys which allows attackers to bind any affected device to their o...