CVE-2022-50994 CRITICAL

CVE-2022-50994: DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi

Vendor Draytek

Product Vigor 2960

Weakness CWE-78

Published May 8, 2026

Last update May 8, 2026

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.

Key dates

02Disclosure timeline

May 8, 2026 CVE published

May 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-50994 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

CVE-2022-50994: DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi

01Description

02Disclosure timeline

03References

04Related CVE