CVE-2026-3040
OS Command Injection in DrayTek Vigor 300B Web Interface
Publication date: 2026-02-23
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| draytek | vigor300b_firmware | to 1.5.1.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the DrayTek Vigor 300B device up to version 1.5.1.6, specifically in the Web Management Interface component. It affects the cgiGetFile function of the /cgi-bin/mainfunction.cgi/uploadlangs file. By manipulating the File argument, an attacker can perform OS command injection, potentially executing arbitrary commands on the device. The attack can be initiated remotely but requires authentication.
The vendor has confirmed that the 300B model is End of Life (EoL) and will not be fixed. The exploit is publicly available.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an authenticated attacker to execute arbitrary operating system commands on the affected device remotely. This could lead to unauthorized control over the device, potentially compromising its functionality, accessing sensitive information, or disrupting network operations.
However, the vulnerability requires authentication, which limits the attack surface to users who already have some level of access.
Since the device is no longer supported, no patches will be provided, increasing the risk if the device remains in use.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
This vulnerability affects DrayTek Vigor 300B devices up to version 1.5.1.6 and is an authenticated OS command injection vulnerability in the web management interface.
Since the vendor has confirmed that the 300B model is End of Life (EoL) and no fixes will be provided, immediate mitigation steps include:
- Restrict access to the web management interface to trusted and secure networks only.
- Ensure that only authorized and authenticated users can access the device management interface.
- Consider isolating or removing the vulnerable device from critical network segments.
- Monitor for any suspicious activity or exploitation attempts targeting the /cgi-bin/mainfunction.cgi/uploadlangs endpoint.
- Plan to replace the affected device with a supported model that receives security updates.