What happened

CISA added CVE-2021-20123 (DrayTek VigorConnect) to the Known Exploited Vulnerabilities catalog, signaling confirmed in-the-wild exploitation and setting a remediation due date for federal entities CISA KEV. The issue is a path traversal flaw in VigorConnect’s DownloadFileServlet that allows an unauthenticated attacker to download arbitrary files from the underlying OS with root privileges NVD MITRE CVE. CISA lists the entry date as 2024-09-03 with a remediation due date of 2024-09-24 and requires agencies to apply vendor mitigations or discontinue use if unavailable CISA KEV.

Why it matters

A controller defect with unauthenticated arbitrary file read at root is a fast path to credential theft and configuration disclosure on the host running VigorConnect NVD. Path traversal (CWE-22) enables attackers to pivot across filesystem boundaries by injecting directory traversal sequences to reach sensitive files that the service can access CWE-22. KEV inclusion means exploitation is already observed or credibly reported, compressing defenders’ patch windows and prioritization decisions CISA KEV.

For environments where VigorConnect manages numerous edge devices, a single arbitrary file-read on the management host can cascade: leaked secrets or configs feed follow-on system compromise, lateral movement, or device takeover scripts—especially in hands of automation-first adversaries NVD CWE-22.

Technical detail

• Vulnerability class: Path Traversal (CWE-22), enabling access to files outside intended directories by supplying traversal tokens in request parameters NVD CWE-22.
• Affected product: DrayTek VigorConnect server software, via a vulnerable DownloadFileServlet endpoint MITRE CVE NVD.
• Impact: Unauthenticated attackers can download arbitrary files from the operating system with root privileges, resulting in disclosure of any files readable by the service context MITRE CVE NVD.

How it’s typically abused:

• Adversaries probe the vulnerable servlet with crafted paths containing traversal sequences such as ../ to escape intended directories and target OS or application files CWE-22.
• Because the service reads files as root (per advisory context), an attacker’s file scope is effectively the full host filesystem, constrained only by path controls in the app (which the traversal bypasses) MITRE CVE.
• File-read primitives commonly serve as recon footholds: leaking configuration, credentials, or keys that enable subsequent authenticated access or remote administration, amplifying impact beyond the initial disclosure NVD.

CISA’s KEV designation makes clear this isn’t hypothetical; threat actors are leveraging it now, so unmanaged internet-exposed instances are high-risk until mitigated CISA KEV.

Defense

Immediate actions (prioritized):

• Patch/mitigate: Follow the vendor’s remediation guidance; if none is available, CISA instructs discontinuing use of the product CISA KEV.
• Exposure control: Ensure the VigorConnect service is not internet-exposed; restrict to trusted management networks and authenticated administrators only CISA KEV.
• Compensating controls: If patching is delayed, insert a reverse proxy/WAF rule to deny requests containing traversal tokens (../, ..\) to the download servlet path; this aligns with blocking patterns associated with CWE-22 exploitation CWE-22.

Detection and response:

• Hunt for HTTP requests to download endpoints containing traversal sequences (../) or absolute path attempts—classical indicators of path traversal probes CWE-22.
• Review application and system logs on the VigorConnect host for anomalous file access originating from the service user, especially around the KEV add date (2024-09-03) as exploitation upticked CISA KEV.
• Treat any unpatched, internet-reachable instance as potentially compromised and perform credential rotation for secrets stored on or managed by the host after remediation NVD.

Programmatic risk management:

• Map CVE-2021-20123 in your SBOM and asset inventory; prioritize it under your KEV-driven SLA with the CISA due date of 2024-09-24 for closure tracking CISA KEV.
• Add CWE-22 to your secure coding review checklists and WAF signatures to create durable controls against class-wide traversal defects CWE-22.

Lyrie Verdict

CVE-2021-20123 is a low-complexity, unauthenticated file-read on a management controller—exactly the kind of commodity vector that automated adversaries (including LLM-driven scrapers) will iterate at scale. Lyrie’s autonomous detectors flag traversal indicators in HTTP payloads, correlate to privileged file-access patterns on the host, and auto-escalate when root-scope reads target sensitive paths characteristic of CWE-22 abuse—all at machine speed CWE-22. With KEV-confirmed exploitation, we recommend enforcing a block policy for traversal-pattern requests against VigorConnect until patched, and maintaining continuous, automated watch on download endpoints backed by KEV-aware prioritization CISA KEV NVD.