CVE-2021-20123, CVE-2021-20124: DrayTek Flaws Added to CISA...

CVE-2021-20123, CVE-2021-20124: DrayTek Flaws Added to CISA KEV

On September 3, CISA added three new vulnerabilities to the KEV, two of which were discovered and responsibly disclosed to DrayTek by security researchers from Tenable Research. Despite patches being readily available for the past three years, CISA has noted evidence of active exploitation of the vulnerabilities.

CVE-2021-20123 and CVE-2021-20124 are both local file inclusion (LFI) vulnerabilities affecting the DownloadFileServlet and WebServlet endpoints on Draytek VigorConnect, a network management software that enables centralized configuration, monitoring, and management of multiple DrayTek wireless access points from a single interface.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog..

Cyber Exposure Alerts

Vulnerability Watch

Forum Discussion

CVE-2021-20123, CVE-2021-20124: DrayTek Flaws Added to CISA...

Recent Discussions

FAQ on Exploited Zero-Day Flaws in Cisco ASA and FTD Devices (CVE-2025-20333, CVE-2025-20362)

Microsoft’s September 2025 Patch Tuesday Addresses 80 CVEs (CVE-2025-55234)

Frequently Asked Questions About Chinese State-Sponsored Actors Compromising Global Networks

CVE-2025-7775: Citrix NetScaler ADC and Gateway Zero-Day RCE Vulnerability Exploited in the Wild

CVE-2025-25256: Proof of Concept Released for Fortinet FortiSIEM Command Injection Vulnerability

Americas

Europe

Asia / Australia