CISA issues alert over two high-severity DrayTek vulnerabilities – here’s what you need to know
Users of DrayTek's network equipment management software have been urged to remain vigilant


CISA has added three security flaws to its known exploited vulnerabilities (KEV) catalog, including two affecting DrayTek’s network equipment management software, VigorConnect.
The third vulnerability added to the catalog affects Kingsoft’s popular WPS Office productivity suite.
All three vulnerabilities were described as path traversal flaws, that allow attackers to read sensitive files they should not be able to access.
The two DrayTek vulnerabilities – CVE-2021-20123 and CVE-2021-20124 – were initially discovered back in 2021 by security researchers at Tenable, who described them as unauthenticated local file inclusion flaws affecting the VigorConnect’s DownloadFileServlet and WebServlet programs.
The flaws were patched back in October 2021, but their addition to the KEV catalog indicates many systems remain susceptible to compromise, and cyber criminals are targeting these vulnerable entities.
“An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges,” Tenable warned.
Tenable also published proof of concept exploits for CVE-2021-20123 and CVE-2021-20124. Both vulnerabilities were classified as high severity in the National Vulnerability Database (NVD), receiving a 7.5 rating on the CVSS.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
CISA warned that path traversal vulnerabilities are frequent attack vectors for malicious cyber actors, and pose a significant risk to federal enterprises in particular.
Although added to the KEV “based on evidence of active exploitation”, at the time of writing there is no publicly available information on in-the-wild attacks exploiting the DrayTek vulnerabilities, but businesses are advised to patch affected systems as soon as possible to reduce their exposure.
Critical WPS flaw exploited by South Korean cyber gang
The third flaw, CVE-2024-7262, stems from improper path validation in the promecefpluginhost.exe in versions 12.2.0.13110 to 12.2.0.16412 of Kingsoft WPS Office for Windows.
The vulnerability, with a critical 9.3 rating in the CVSS, could allow an attacker to load arbitrary Windows libraries onto the system, which could then lead to remote code execution, data exfiltration, and long-term persistence on the network.
RELATED WHITEPAPER
Kingsoft WPS Office is a popular alternative to Microsoft’s productivity suite, widely used in China and East Asia, with roughly 500 million active users worldwide.
A blog published on 3 September by security firm Qualys reported APT-C-60, a South Korean-aligned cyber espionage group, had been exploiting CVE-2024-7262.
“Attackers exploited the vulnerability to install the SpyGlace backdoor on East Asian targets. Tracked as CVE-2024-7262, the vulnerability allows an attacker to perform remote code execution,” Qualys warned.
In its description of the flaw, the nonprofit security organization MITRE stated the vulnerability was found weaponized as a single-click exploit in a deceptive spreadsheet document.
Qualys revealed the spreadsheet was used by APT-C-60 to deceive users into clicking malicious hyperlinks embedded in a fake image, starting the attack’s kill chain.
Kingsoft has released a patch for CVE-2024-7262, and CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw, as well as the two DrayTek vulnerabilities, by 24 September 2024.

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly