Primary

Context

DrayTek Vigor 2960 OS Command Injection Vulnerability in CGI Login Handler

Vulnerability

Patched

A command injection vulnerability has been identified in the DrayTek Vigor 2960 router's firmware versions prior to 1.5.1.4. This vulnerability resides in the CGI login handler, where unauthenticated remote attackers can execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. The exploitation takes advantage of unsanitized input directed to the otp_check.sh script, allowing remote code execution with web server privileges. Successful exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected device, with the executed commands running under the privileges of the web server.

Added: May 8, 2026, 1:42 PM

Updated: May 8, 2026, 1:42 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

5.9

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

7.5

exploitability

5.9

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DrayTek Vigor 2960 OS Command Injection Vulnerability in CGI Login Handler

Vulnerability

Impact

Affected Products

DrayTek Vigor 2960

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating