Security Advisory: Vigor 3900 / 2960 / 300B Remote code injection/execution vulnerability (CVE-2020-14472 / CVE-2020-15415)



CVE-2020-14472 / CVE-2020-15415

Priority: Critical

Product Models: Vigor 3900, Vigor 2960, Vigor 300B

Action Required : Update your firmware immediately to version or later

DrayTek have become aware of a possible exploit of the Vigor 2960 / 3900 / 300B related to the WebUI. On 17th Jun 2020 we released an updated firmware to address this issue.

Necessary Action: Users of affected models should upgrade to firmware or later as soon as possible.

Pre-upgrade Mitigation: You should upgrade firmware as soon as possible however if it is impossible to do this immediately, disable remote access to your device or use an ACL for remote access, then upgrade as soon as possible.

Firmware downloads are available from here (For UK/IE Region only).

If you have remote access enabled on your router, disable it if you don't need it, and use an access control list (ACL) if possible. An ACL is a preset whitelist of permitted remote IP addresses who can remotely administer your router, blocking anyone else.  Alternatively, permit remote administration only through a secure VPN or using VigorACS central management.

Update Mailing List (UK/Ireland)

UK/Ireland  users  should  subscribe  to our mailing-list in order to receive  timely  notifications  of  firmware  or critical updates like this and as a general rule of best practice, always keep all of your products firmware up top date and check for updates.

Disclaimer : Please check this web page again for any new/updated information. You are advised to always keep your product's firmware or software up-to-date and keep in touch with your vendors to be advised of any new vulnerabilities (for example by subscribing to mailing lists). The information is this web page is provided in good faith based on the the information available to us at the current time, following an appropriate assessment but without acceptance of liability in the case of new, developing or existing threats or unlawful activity against your system. Any suggestions given above are provided as general information but should not be considered a thorough or specific assessment of your own individual security risks and you should take formal advice from a security expert to assess your specific security needs. As with any advisory, the suggested advice forms part of your own security planning and protocols.

Please note that mail alerts on this issue will come from our domain "drayteknews.co.uk" not our web domain (draytek.co.uk).  Both of the domains are legitimate and belong to us (DrayTek) but in line with anti-phishing measures, you're quite right to check.