CVE-2023-47254 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-47254?

CVE-2023-47254 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary system commands on DrayTek Vigor167 routers via OS command injection in the CLI interface. Attackers can escalate privileges using any account created in the web interface. Organizations using affected DrayTek Vigor167 routers are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary system commands on DrayTek Vigor167 routers via OS command injection in the CLI interface. Attackers can escalate privileges using any account created in the web interface. Organizations using affected DrayTek Vigor167 routers are at risk.

💻 Affected Systems

Products:

DrayTek Vigor167

Versions: Version 5.2.2

Operating Systems: Embedded router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects devices with any user account created via the web interface. Default admin account may also be vulnerable depending on configuration.

📦 What is this software?

Vigor167 Firmware by Draytek

View all CVEs affecting Vigor167 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to install persistent backdoors, pivot to internal networks, intercept/modify traffic, and use the device as a launch point for further attacks.

🟠

Likely Case

Unauthorized access to router configuration, network traffic interception, credential harvesting, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited to unauthorized configuration changes if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely via the CLI interface, making internet-facing devices particularly vulnerable.

🏢 Internal Only: HIGH - Even internally accessible devices are vulnerable to authenticated attackers with any web interface account.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication with any web interface account. Public proof-of-concept details are available in the SYSS advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check DrayTek for latest firmware updates

Vendor Advisory: https://www.draytek.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Log into DrayTek support portal. 2. Download latest firmware for Vigor167. 3. Upload firmware via web interface. 4. Apply update and restart device.

🔧 Temporary Workarounds

Disable CLI Access

all

Disable CLI interface access if not required for operations

Configure via web interface: System Maintenance > Management > Disable CLI/Telnet/SSH

Restrict Web Interface Access

all

Limit web interface access to trusted IP addresses only

Configure via web interface: Firewall > Filter Setup > Add rules to restrict web management access

🧯 If You Can't Patch

Isolate affected routers in separate VLAN with strict firewall rules
Implement network monitoring for suspicious CLI activity and command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface: System Maintenance > System Information > Firmware Version

Check Version:

ssh/telnet to router and check version or use web interface

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable version and test CLI interface for command injection

📡 Detection & Monitoring

Log Indicators:

Unusual CLI login attempts
Suspicious command execution in system logs
Multiple failed authentication attempts followed by successful CLI access

Network Indicators:

Unexpected outbound connections from router
Anomalous traffic patterns from router IP
CLI protocol traffic from unauthorized sources

SIEM Query:

source="router_logs" AND ("CLI" OR "command" OR "injection") AND (severity=high OR action=blocked)

📊 Metadata

CVE ID: CVE-2023-47254

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: December 9, 2023

Last Updated: November 21, 2024

🔗 References

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt Exploit,Third Party Advisory
https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigor167-syss-2023-023 Third Party Advisory
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-023.txt Exploit,Third Party Advisory
https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigor167-syss-2023-023 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47254, you might also want to check these: