High severity8.1NVD Advisory· Published May 8, 2026· Updated May 8, 2026

CVE-2022-50994

Description

DrayTek Vigor 2960 firmware versions prior to 1.5.1.4 contain an OS command injection vulnerability in the CGI login handler that allows unauthenticated remote attackers to execute arbitrary commands by injecting shell metacharacters into the formpassword parameter. Attackers can exploit unsanitized input passed to the otp_check.sh script to achieve remote code execution with web server privileges. Exploitation requires knowledge of a valid username and that the target account has MOTP authentication enabled.

Affected products

Draytek/Vigor 2960llm-create
Range: <1.5.1.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.draytek.co.uk/support/downloads/vigor-2960/older-firmware/firmware-1514nvd
www.draytek.com/about/newsroom/2021/2021/end-of-life-notification-vigor2960nvd
www.vulncheck.com/advisories/draytek-vigor-2960-os-command-injection-via-mainfunction-cginvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000