CVE-2020-15415 Scanner

DrayTek Vigor series routers are widely used in small-to-medium business networks. They offer remote web-based administration and configuration upload interfaces. One such feature, the `cvmcfgupload` functionality, is exposed via a multipart file upload handler under `/cgi-bin/mainfunction.cgi/cvmcfgupload`.

CVE-2020-15415 is a critical command injection vulnerability that allows unauthenticated remote attackers to execute arbitrary system commands by submitting specially crafted multipart/form-data payloads. This is made possible by improper sanitization of user-controlled input fields in file names during processing.

Attackers can inject commands by manipulating the filename attribute in the multipart request. For example:

 POST /cgi-bin/mainfunction.cgi/cvmcfgupload?1=2 Content-Disposition: form-data; name="abc"; filename="t';id;echo '1_" 

Successful exploitation is confirmed when the server returns a 200 OK response, includes `uid=` or `gid=` strings (indicative of a shell command like `id` being run), and contains headers suggesting a DrayTek Web Server (DWS).

As this vulnerability is unauthenticated and exploitable over the network, it poses a significant risk for remote code execution (RCE) and router takeover. It may allow attackers to pivot into internal networks, modify configurations, or deploy persistent malware.

References:

• https://github.com/CLP-team/Vigor-Commond-Injection
• https://nvd.nist.gov/vuln/detail/CVE-2020-15415