CVE-2021-20123

Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges. Vendor/Product: DrayTek VigorConnect. Added to CISA KEV 2024-09-03; required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.