CVE-2021-20124

What is DrayTek VigorConnect?

DrayTek VigorConnect is a centralized network management platform for administering fleets of DrayTek Vigor routers and networking equipment. Organizations use VigorConnect to manage router configurations, firmware updates, VPN settings, and network monitoring across multiple DrayTek devices from a single interface. VigorConnect is typically deployed in small-to-medium business environments and managed service provider (MSP) networks. As a management platform with access to router configurations — including VPN credentials, SNMP community strings, and network topology — VigorConnect is a high-value target for attackers seeking network access or credential harvesting.

Overview

CVE-2021-20124 is a path traversal vulnerability (CWE-22) in DrayTek VigorConnect's WebServlet endpoint. Like its companion CVE-2021-20123 (which affects the DownloadFileServlet endpoint), this vulnerability allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem with root-level access by embedding directory traversal sequences in HTTP requests. Both vulnerabilities were disclosed simultaneously and added to the CISA KEV catalog together in September 2024 — nearly three years after the patch was available. CISA's simultaneous addition of both CVEs confirms that attackers are using multiple VigorConnect path traversal endpoints in active campaigns.

Affected Versions

Technical Details

• Root cause: Path traversal (CWE-22) — the WebServlet endpoint accepts a filename/path parameter and constructs a filesystem path without sanitizing directory traversal sequences (../)
• No authentication required — the endpoint is accessible without login credentials
• Arbitrary file read: Traversal out of the intended directory allows reading any file readable by the VigorConnect process (running as root): /etc/shadow, SSH private keys, VigorConnect database files containing managed router credentials, SSL certificates, and any other sensitive file on the server
• Companion vulnerability: CVE-2021-20123 affects the DownloadFileServlet endpoint; CVE-2021-20124 affects the WebServlet endpoint — both provide the same unauthenticated file read primitive via different code paths
• Information disclosure focus: CVSS C:H/I:N/A:N — the attack reads data but cannot modify or delete files
• Network accessible: Exploitable remotely from the internet if the VigorConnect management interface is internet-exposed

Discovery

Reported by external security researchers alongside CVE-2021-20123. DrayTek addressed both path traversal vulnerabilities in the same security advisory and patch release. The simultaneous CISA KEV addition of both CVEs confirms active exploitation of the VigorConnect path traversal attack surface.

Exploitation Context

The two VigorConnect path traversal CVEs (20123 and 20124) together provide redundant file-read paths into the same management platform. Attackers targeting VigorConnect for network credential harvesting can exploit either endpoint depending on what is accessible. In MSP environments, a compromised VigorConnect server exposes the configuration (and therefore credentials) for every managed router in the fleet — enabling mass downstream network compromise. The three-year gap between patch and KEV addition reflects slow patching in SMB/MSP environments where legacy management software may not receive regular updates.

Remediation

1. Upgrade DrayTek VigorConnect to version 1.6.1 or later per the DrayTek security advisory — this addresses both CVE-2021-20123 and CVE-2021-20124
2. Restrict access to the VigorConnect management interface via firewall — allow only trusted administrative IP ranges
3. Remove VigorConnect from internet-facing exposure; require VPN access for management
4. Review server access logs for path traversal indicators (../ sequences) in requests to /WebServlet and /DownloadFileServlet
5. If compromise is suspected, rotate all credentials stored in VigorConnect: managed router passwords, SNMP community strings, VPN pre-shared keys, and certificate private keys