CVE-2022-50994
OS Command Injection in DrayTek Vigor 2960 Firmware
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| draytek | vigor_2960 | to 1.5.1.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not include any information regarding the impact of CVE-2022-50994 on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2022-50994 is an OS command injection vulnerability found in DrayTek Vigor 2960 firmware versions prior to 1.5.1.4. It exists in the CGI login handler, where unsanitized input is passed to the otp_check.sh script. An attacker who knows a valid username and targets an account with MOTP authentication enabled can inject shell metacharacters into the formpassword parameter, allowing them to execute arbitrary commands remotely with web server privileges.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the affected device with the privileges of the web server. This can lead to remote code execution, potentially compromising the device, allowing attackers to manipulate or control it, access sensitive information, disrupt network operations, or use the device as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for attempts to inject shell metacharacters into the 'formpassword' parameter of the CGI login handler on DrayTek Vigor 2960 devices running firmware versions prior to 1.5.1.4.
Detection can involve inspecting web server logs for suspicious login requests containing unusual characters or command injection patterns in the 'formpassword' field.
Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such injection attempts.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the DrayTek Vigor 2960 firmware to version 1.5.1.4 or later, where this OS command injection vulnerability has been fixed.
If upgrading is not immediately possible, restrict access to the device's web interface to trusted networks or IP addresses to reduce exposure.
Disable MOTP authentication on accounts if feasible, as exploitation requires a valid username with MOTP enabled.
Consider replacing the Vigor 2960 device with a newer model such as the Vigor 2962, as the 2960 has reached end of life and no further updates will be provided.