CVE-2023-1162

Name of the Vulnerable Software and Affected Versions DrayTek Vigor versions 1.5.1.4 through 1.5.1.5

Description The issue is related to the function sub 1225C in the mainfunction.cgi script of the DrayTek Vigor web interface, where inadequate data cleaning on the management level can be exploited. This can allow a remote attacker to execute arbitrary commands. The manipulation of the password argument leads to command injection, and the attack can be launched remotely.

Recommendations For DrayTek Vigor versions 1.5.1.4 through 1.5.1.5, consider disabling the mainfunction.cgi script or restricting access to it until a fix is available. As a temporary workaround, avoid using the password argument in the affected web management interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.