What happened

CISA added CVE-2020-15415 to the Known Exploited Vulnerabilities (KEV) catalog on 2024-09-30, signaling confirmed in-the-wild exploitation and triggering mandatory remediation timelines for U.S. federal agencies CISA KEV. The entry covers DrayTek Vigor3900, Vigor2960, and Vigor300B devices vulnerable to OS command injection in cgi-bin/mainfunction.cgi/cvmcfgupload, enabling remote code execution (RCE) under specific request conditions NVD. CISA lists a due date of 2024-10-21 and directs administrators to apply mitigations per vendor guidance or discontinue use where mitigations are unavailable CISA KEV.

The vulnerability is categorized as CWE-78 (OS Command Injection), aligning with the observed ability to execute arbitrary shell commands through crafted input MITRE CVE. Affected products are explicitly the DrayTek Vigor3900, Vigor2960, and Vigor300B platforms per the CVE record NVD.

Why it matters

KEV inclusion means active exploitation has been observed or substantiated, elevating this from a theoretical bug to an operational threat to edge infrastructure CISA KEV. RCE on a routing platform grants an adversary the ability to run attacker-controlled code on the device, a high-privilege foothold that can facilitate persistence, traffic manipulation, or lateral staging NVD. Federal agencies have a hard remediation date (2024-10-21), and private-sector owners should treat that as the practical deadline to remove exposure CISA KEV.

This vulnerability’s exploit path is highly deterministic—driven by a specific endpoint and header/filename behavior—which makes it both easy to weaponize and straightforward to detect if you’re watching the right signals MITRE CVE. When attackers can convert a single HTTP transaction into shell execution on a gateway device, response must operate faster than human triage loops CISA KEV.

Technical detail

CVE-2020-15415 is an OS command injection in DrayTek’s Vigor3900/2960/300B series within cgi-bin/mainfunction.cgi/cvmcfgupload, reachable via HTTP requests to the device’s web interface NVD. The flaw triggers when the request uses the Content-Type value text/x-python-script and injects shell metacharacters within a filename parameter, leading to command execution on the underlying OS MITRE CVE. The vulnerability maps to CWE-78 due to the improper neutralization of special elements used in OS command contexts MITRE CVE.

Affected models called out in the CVE are: Vigor3900, Vigor2960, and Vigor300B, all treated as “Multiple Vigor Routers” in KEV tracking NVD. Exploit reliability is helped by the constrained trigger—an upload handler endpoint plus a precise Content-Type—reducing guesswork for attackers scanning exposed management interfaces CISA KEV. Because the input vector is the filename field paired with a nonstandard script content-type, payloads can hide in multipart boundaries while only needing minimal metacharacter injection to break into the shell NVD.

Defense

• Patch/mitigate now: follow vendor instructions; where unavailable, plan device replacement or decommission per KEV guidance CISA KEV.
• Reduce exposure: restrict or remove internet-facing management for these models; enforce allowlists/VPN for admin access as an immediate risk cut CISA KEV.
• Detection engineering: alert on HTTP traffic to /cgi-bin/mainfunction.cgi/cvmcfgupload that carries Content-Type: text/x-python-script, especially where filenames include shell metacharacters such as ;, |, $, or backticks NVD. Correlate successful responses from that endpoint with subsequent anomalous device behavior (unexpected processes or config changes) to catch post-exploitation MITRE CVE.
• Segmentation/containment: isolate management planes and limit east-west reach from these devices to cap blast radius during incident response CISA KEV.
• Verification: validate that compensating controls are effective by attempting benign requests that mimic the header/path pattern (without metacharacters) to ensure visibility and logging are in place MITRE CVE.

Lyrie Verdict

This is a textbook deterministic exploit chain: a specific CGI path, a rare Content-Type, and shell metacharacters in a filename—perfect for machine-speed pattern matching and kill NVD. Lyrie prioritizes autonomous edge telemetry to flag and block any request to cgi-bin/mainfunction.cgi/cvmcfgupload bearing text/x-python-script and metacharacterized filenames before execution paths reach the shell MITRE CVE. Given KEV-confirmed exploitation and a hard due date, treat this as an automated control problem, not a ticket queue; detection must run inline, at wire speed, and default-deny this signature on sight CISA KEV.