Multiple Vulnerabilities in Draytek Vigor 2130

Type securityvulns
Reporter Securityvulns
Modified 2014-10-14T00:00:00


VIGOR 2130 (firmware <

1.1. Command injection in traceroute functionality

A user can execute arbitrary commands (RCE) on the router by abusing the traceroute functionality. The interface expects an IP address as input, but does not validate the input. Just provide the input: ; id The above outputs the current user id.

1.2. CSRF (Cross-Site Request Forgery)

No anti-CSRF measurements in place. This means that an attacker can setup a web page which, when visited by a victim who is logged in into the VIGOR 2130 web-interface, can perform operations onto the web-interface

1.3. Service runs as root The web service is running as root.


2014-09-26 : Vender released patches (private and unverified) to their customers 2014-07-22 : Vendor states that most of the vulns. are patched 2014-07-08 : Vendor notified customers with large deployments 2014-06-30 : Response of Vendor 2014-06-24 : Notified Vendor

Researchers: Victor van der Veen ( / Erik-Paul Dittmer (

Digital Misfits does not accept any liability for any errors, omissions, delays of receipt or viruses in the contents of this message which arise as a result of e-mail transmission.