CVE-2023-31447 – This vulnerability allows attackers to send cra... (How to Fix)

Q: What is the severity of CVE-2023-31447?

CVE-2023-31447 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to send crafted payloads to the user_login.cgi endpoint on affected Draytek Vigor devices, enabling arbitrary code execution by modifying memory segments and inserting shellcode. It affects Draytek Vigor2620 devices before firmware version 3.9.8.4 and all versions of Vigor2925 devices. Organizations using these devices as routers or firewalls are at risk.

📋 TL;DR

This vulnerability allows attackers to send crafted payloads to the user_login.cgi endpoint on affected Draytek Vigor devices, enabling arbitrary code execution by modifying memory segments and inserting shellcode. It affects Draytek Vigor2620 devices before firmware version 3.9.8.4 and all versions of Vigor2925 devices. Organizations using these devices as routers or firewalls are at risk.

💻 Affected Systems

Products:

Draytek Vigor2620
Draytek Vigor2925

Versions: Vigor2620: all versions before 3.9.8.4; Vigor2925: all versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The user_login.cgi endpoint is typically enabled by default on these devices. Both internet-facing and internal deployments are vulnerable.

📦 What is this software?

Vigor2620 Firmware by Draytek

View all CVEs affecting Vigor2620 Firmware →

Vigor2625 Firmware by Draytek

View all CVEs affecting Vigor2625 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attackers to gain persistent access, pivot to internal networks, intercept/modify traffic, and use the device as a launch point for further attacks.

🟠

Likely Case

Remote code execution leading to device takeover, credential theft, network traffic interception, and potential lateral movement into connected networks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict ingress filtering and network segmentation, though the vulnerability remains exploitable from internal networks.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically exposed to the internet on these devices, making them directly accessible to attackers.

🏢 Internal Only: HIGH - Even if not internet-facing, the vulnerability can be exploited from any network segment with access to the device's management interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub gists. The vulnerability requires no authentication and has a straightforward exploitation path for remote code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vigor2620: 3.9.8.4 or later; Vigor2925: Check Draytek for latest firmware

Vendor Advisory: https://draytek.com

Restart Required: Yes

Instructions:

1. Log into device web interface. 2. Navigate to System Maintenance > Firmware Upgrade. 3. Download latest firmware from Draytek support site. 4. Upload and apply firmware update. 5. Reboot device after update completes.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to device management interface using firewall rules or ACLs

Disable Web Management

all

Disable web-based management interface if alternative management methods are available

🧯 If You Can't Patch

Isolate affected devices in dedicated network segments with strict firewall rules limiting inbound connections
Implement network monitoring and intrusion detection specifically for traffic to/from the device management interface

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface: System Maintenance > Firmware Information

Check Version:

No CLI command; check via web interface or SNMP if configured

Verify Fix Applied:

Verify firmware version is 3.9.8.4 or later for Vigor2620, or latest available for Vigor2925

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /cgi-bin/user_login.cgi
Multiple failed login attempts followed by successful exploitation
Unexpected process execution or configuration changes

Network Indicators:

Unusual outbound connections from device
Traffic patterns suggesting command-and-control communication
Exploit payloads in HTTP requests to management interface

SIEM Query:

source_ip="device_management_ip" AND (uri_path="/cgi-bin/user_login.cgi" OR http_method="POST" AND user_agent CONTAINS "exploit")

📊 Metadata

CVE ID: CVE-2023-31447

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: August 21, 2023

Last Updated: November 21, 2024

🔗 References

https://draytek.com Product
https://gist.github.com/rrrrrrri/013c9eef64b265af4163478bfcf29ff4 Third Party Advisory
https://draytek.com Product
https://gist.github.com/rrrrrrri/013c9eef64b265af4163478bfcf29ff4 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31447, you might also want to check these: