Imagine a burglar who doesn't need to pick your lock — because you accidentally built a secret door into your wall and forgot about it. That's essentially what security researchers have discovered hiding inside one of the most commonly deployed business routers in the world.
Who Is at Risk — and How Badly
The DrayTek Vigor 2960 is not a consumer home router. It's the kind of hardware sitting in the server closets of small businesses, branch offices, healthcare clinics, law firms, and schools — organizations that depend on it to route every email, video call, and file transfer their employees make. DrayTek routers have an installed base of millions of devices worldwide, with the Vigor series particularly dominant across Europe, Asia, and small-to-medium enterprises in North America.
Any organization running Vigor 2960 firmware older than version 1.5.1.4 is sitting on an unpatched vulnerability rated 8.1 out of 10 (HIGH) on the industry severity scale. That means remote attackers — someone sitting in another country with a laptop — could potentially seize control of the router without ever knowing your password. From there, they can intercept traffic, pivot deeper into your internal network, plant ransomware, steal credentials, or simply watch everything your organization does online.
What the Attacker Actually Does — In Plain English
Every router has a login page — a web form where you type your username and password to get in. The Vigor 2960's login page has a special field designed to handle a secondary security feature called one-time passwords, an extra layer of protection meant to increase security. The problem? The software that processes what you type into that field doesn't check whether what you typed is actually a password — or whether it's a hidden command disguised as one.
An attacker who knows a valid username on the device — information that can often be guessed or found through other means — can type something crafted and malicious into that password field. Instead of a password, they slip in a shell command: a quiet instruction that the router's operating system reads and obeys, as if a legitimate administrator had issued it. The router, trusting the input completely, executes the command. No login required. No alarm raised. The attacker is now running code on your network's front door.
Think of it like a bank teller who accepts any note slipped through the window as a legitimate transaction request — including one that says "hand over the keys to the vault." The Vigor 2960's login handler was accepting malicious instructions dressed up as innocent password attempts, then carrying them out without question.
The Technical Detail Security Teams Need to Know
For the researchers and defenders in the room: this is an OS command injection vulnerability (CWE-78) located specifically in the CGI login handler, triggered via the formpassword parameter. Unsanitized input is passed directly to a shell script called otp_check.sh, which processes it with web server privileges. Exploitation requires knowledge of a valid username and that the targeted account has MOTP (Mobile One-Time Password) authentication enabled — a condition that narrows, but does not eliminate, the attack surface. CVSS score: 8.1 HIGH (CVE-2022-50994).
Has This Been Used in the Wild?
As of publication, no confirmed active exploitation has been documented in the wild for this specific CVE. That is the one piece of genuinely good news here. However, security teams should treat "not yet exploited" as a countdown clock, not a reassurance. DrayTek routers have historically been a high-value target: in 2023 and 2024, multiple DrayTek vulnerabilities were actively weaponized by threat actors — including nation-state affiliated groups — to build botnet infrastructure and conduct espionage campaigns against telecommunications providers and government networks. Once a proof-of-concept for a flaw like this circulates in underground forums, exploitation typically begins within days to weeks.
The vulnerability was disclosed under CVE-2022-50994. Organizations that have not actively monitored firmware patch cycles for their networking hardware — a group that, realistically, includes the majority of small and medium businesses — should assume their devices may still be running the vulnerable version.
What You Need to Do Right Now
-
Update your firmware to version 1.5.1.4 or later — immediately.
Log into your Vigor 2960's management interface and navigate to System Maintenance > Firmware Upgrade. The patched firmware (1.5.1.4+) is available directly from DrayTek's official support portal atdraytek.com. Do not download firmware from any third-party source. If you manage multiple devices, treat this as a priority patch — not a scheduled maintenance item. -
Disable remote management access if you don't need it.
If your router's admin interface is accessible from the public internet, restrict it immediately. Go to System Maintenance > Management and disable remote management, or lock it to specific trusted IP addresses only. The vast majority of small business routers have no legitimate reason to expose their login page to the entire internet. Closing that door eliminates the attack vector entirely, even before you patch. -
Audit which accounts have MOTP authentication enabled.
Because this vulnerability specifically targets the MOTP login flow, review your router's user accounts under User Management and verify which accounts have mobile one-time password authentication active. Disable MOTP on any accounts that don't require it, and ensure admin credentials use strong, unique passwords. After patching, rotate all administrator passwords as a precaution — if a device was exposed to the internet in a vulnerable state, assume credentials may have been observed.