DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4_Beta devices allow remote code execution as root (without authentication) via shell. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
RCE
Command Injection
Vigor2960 Firmware
Vigor300b Firmware
Vigor3900 Firmware
NVD
Exploit-DB
CVSS 3.1
9.8
EPSS
100.0%