CVE-2022-50994
Deferred Deferred - Pending Action
OS Command Injection in DrayTek Vigor 2960 Firmware

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: VulnCheck

Description
DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2022-50994
EUVD
EUVD-2022-55966
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
draytek vigor_2960 to 1.5.1.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50994 is an OS command injection vulnerability found in DrayTek Vigor 2960 firmware versions prior to 1.5.1.4. It exists in the CGI login handler, where unsanitized input is passed to the otp_check.sh script. An attacker who knows a valid username and targets an account with MOTP authentication enabled can inject shell metacharacters into the formpassword parameter, allowing them to execute arbitrary commands remotely with web server privileges.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on the affected device with the privileges of the web server. This can lead to remote code execution, potentially compromising the device, allowing attackers to manipulate or control it, access sensitive information, disrupt network operations, or use the device as a foothold for further attacks.

Detection Guidance

This vulnerability can be detected by monitoring for attempts to inject shell metacharacters into the 'formpassword' parameter of the CGI login handler on DrayTek Vigor 2960 devices running firmware versions prior to 1.5.1.4.

Detection can involve inspecting web server logs for suspicious login requests containing unusual characters or command injection patterns in the 'formpassword' field.

Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such injection attempts.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include upgrading the DrayTek Vigor 2960 firmware to version 1.5.1.4 or later, where this OS command injection vulnerability has been fixed.

If upgrading is not immediately possible, restrict access to the device's web interface to trusted networks or IP addresses to reduce exposure.

Disable MOTP authentication on accounts if feasible, as exploitation requires a valid username with MOTP enabled.

Consider replacing the Vigor 2960 device with a newer model such as the Vigor 2962, as the 2960 has reached end of life and no further updates will be provided.

Compliance Impact

The provided context and resources do not include any information regarding the impact of CVE-2022-50994 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart