vulnerability

DrayTek VigorConnect: CVE-2021-20123: Improper Limitation of a Pathname to a Restricted Directory

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:C/I:N/A:N)	Oct 13, 2021	Apr 30, 2025	May 1, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:N/A:N)

Published

Oct 13, 2021

Added

Apr 30, 2025

Modified

May 1, 2025

Description

A local file inclusion vulnerability exists in Draytek VigorConnect 1.6.0-B3 in the file download functionality of the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Solution

draytek-vigorconnect-upgrade-latest

References

CVE-2021-20123
https://attackerkb.com/topics/CVE-2021-20123
https://www.tenable.com/security/research/tra-2021-42

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report