Search
On this page ▾
CVE-2021-20123 — Draytek VigorConnect Path Traversal Vulnerability

CVE-2021-20123

DrayTek VigorConnect — Unauthenticated Path Traversal in DownloadFileServlet Enables Arbitrary File Read with Root Privileges
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is DrayTek VigorConnect?

DrayTek VigorConnect is a centralized network management platform for administering fleets of DrayTek Vigor routers and networking equipment. Organizations use VigorConnect to manage router configurations, firmware updates, VPN settings, and network monitoring across multiple DrayTek devices from a single interface. VigorConnect is typically deployed in small-to-medium business environments and managed service provider (MSP) networks. As a management platform with access to router configurations — including VPN credentials, SNMP community strings, and network topology — VigorConnect is a high-value target for attackers seeking network access or credential harvesting.

Overview

CVE-2021-20123 is a path traversal vulnerability (CWE-22) in DrayTek VigorConnect's DownloadFileServlet endpoint. An unauthenticated remote attacker can send a crafted HTTP request to this endpoint with directory traversal sequences (../) in the filename parameter, causing the server to serve arbitrary files from the underlying operating system filesystem with root-level read access. No authentication is required — the endpoint is accessible without any credentials. CISA added this to KEV in September 2024, nearly three years after disclosure, reflecting continued exploitation against organizations running unpatched VigorConnect installations.

CVE-2021-20124 is a companion path traversal in the WebServlet endpoint of the same product, disclosing alongside CVE-2021-20123.

Affected Versions

Product Vulnerable Fixed
DrayTek VigorConnect before 1.6.1 Yes 1.6.1 (apply vendor advisory)

Technical Details

  • Root cause: Path traversal (CWE-22) — the DownloadFileServlet endpoint accepts a filename parameter and constructs a filesystem path without sanitizing directory traversal sequences
  • No authentication required — the servlet is accessible without login credentials, as it was designed to serve downloadable files
  • Arbitrary file read: An attacker can traverse outside the intended file serving directory and read any file accessible by the VigorConnect process (which runs as root), including: system password files, VigorConnect configuration files containing router credentials, SSL certificates and private keys, SSH keys, and any other sensitive data on the server
  • Exploitation pattern: A crafted HTTP request like GET /DownloadFileServlet?filename=../../../../etc/passwd returns the contents of /etc/passwd from the server
  • Confidentiality-only impact: CVSS shows C:H/I:N/A:N — pure information disclosure; the vulnerability reads files but cannot write or delete them
  • Network accessible: AV:N, PR:N — exploitable from the internet if VigorConnect is internet-exposed (common for MSP management platforms)

Discovery

Reported by external security researchers and disclosed with CVE-2021-20124. DrayTek published a security advisory addressing both path traversal vulnerabilities simultaneously. The 2024 CISA KEV addition reflects confirmed exploitation activity nearly three years after the patch was available.

Exploitation Context

Network management platforms are attractive targets for initial access — credentials extracted from VigorConnect configuration files can provide access to every managed router in the fleet. DrayTek devices are widely used in small business and MSP environments. The late KEV addition (September 2024) confirms that organizations running legacy VigorConnect versions remained targets years after the patch was available. CVE-2021-20124 (WebServlet path traversal) was added to KEV simultaneously, indicating both endpoints were actively exploited.

Remediation

  1. Upgrade DrayTek VigorConnect to version 1.6.1 or later per the DrayTek security advisory
  2. If VigorConnect cannot be updated, restrict access to the management interface via firewall rules — limit access to trusted IP ranges only
  3. Do not expose VigorConnect directly to the internet; place it behind a VPN or restrict to management VLANs
  4. Review VigorConnect server logs for requests to /DownloadFileServlet containing ../ sequences that may indicate prior exploitation
  5. If prior exploitation is suspected, rotate all credentials stored in VigorConnect configurations: router admin passwords, SNMP strings, VPN keys

Key Details

PropertyValue
CVE ID CVE-2021-20123
Vendor / Product DrayTek — VigorConnect
NVD Published2021-10-13
NVD Last Modified2025-11-03
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SeverityHIGH
CWE CWE-22 find similar ↗
CISA KEV Added2024-09-03
CISA KEV Deadline2024-09-24
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2024-09-24. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2021-10-13CVE-2021-20123 published; DrayTek issues security advisory for VigorConnect path traversal vulnerabilities
2024-09-03Added to CISA Known Exploited Vulnerabilities catalog — nearly three years after disclosure
2024-09-24CISA BOD 22-01 remediation deadline

References

ResourceType
DrayTek Security Advisory — VigorConnect CVE-2021-20123 Vendor Advisory
NVD — CVE-2021-20123 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML