Giulio Lyons

Name of the Vulnerable Software and Affected Versions: (affected versions not specified) Description: A non-primary administrator user with admin rights to the web interface, but without shell access permissions, can view the device configuration, including the master admin password. This also allows the user to gain shell access with root group ID. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Draytek VigorConnect version 1.6.0-B3 **Description** A local file inclusion vulnerability exists in the file download functionality of the `WebServlet` endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. The issue is related to incorrect restriction of the directory path name with limited access. **Recommendations** For Draytek VigorConnect version 1.6.0-B3, as a temporary workaround, consider disabling the file download functionality of the `WebServlet` endpoint until a patch is available. Restrict access to the `WebServlet` endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Draytek VigorConnect version 1.6.0-B3 **Description** A local file inclusion vulnerability exists in the file download functionality of the "DownloadFileServlet" endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. The issue is related to incorrect restriction of the directory path name with limited access. Exploitation of the vulnerability may allow a remote attacker to load arbitrary files with root privileges. **Recommendations** For Draytek VigorConnect version 1.6.0-B3, consider disabling the `DownloadFileServlet` endpoint until a patch is available to prevent exploitation. Restrict access to the file download functionality to minimize the risk of arbitrary file downloads. At the moment, there is no information about a newer version that contains a fix for this vulnerability.