Exploit for #VU25350 Improper Neutralization of Special Elements in Output Used by a Downstream Component

Published: 2020-04-13 | Updated: 2022-09-14

Vulnerability identifier: #VU25350

Vulnerability risk: Critical

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2020-8515

CWE-ID: CWE-74

Exploitation vector: Network

Exploits in database: 7

September 14, 2022
- CVE-2020-8515 () [Github]
- CVE-2020-8515-PoC () [Github]
September 2, 2021
- CVE-2020-8515 (Draytek CVE-2020-8515 PoC) [Github]
June 17, 2021
- Multiple DrayTek Products - Pre-authentication Remote Root Code Execution [Exploit-DB]
June 3, 2020
- nmap_draytek_rce (nmap script to detect CVE-2020-8515 on Draytek Devices) [Github]
- CVE-2020-8515-PoC (CVE-2020-8515-PoC) [Github]
April 13, 2020
- DrayTek Vigor2960 / Vigor3900 / Vigor300B Remote Command Execution [Packet Storm]

Impact: Code execution

Vulnerable software:
Vigor 2960
Hardware solutions / Routers & switches, VoIP, GSM, etc
Vigor 3900
Hardware solutions / Routers & switches, VoIP, GSM, etc
Vigor 300B
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor: DrayTek Corp.