CVE-2013-10048

CWE-78 — OS Command Injection3 documents3 sources

Severity

9.3CRITICAL

EPSS

59.8%

top 1.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

D-link Dir-300 D-link Dir-600 Dlink Dir-300 Firmware +1 more

Timeline

PublishedAug 1

Description

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDdlink/dir-300_firmware2.13

▶NVDdlink/dir-600_firmware2.14b01

▶CVEListV5d-link/dir-300* — 2.13

▶CVEListV5d-link/dir-600* — 2.14b01

🔴Vulnerability Details

CVEList

D-Link Devices command.php Unauthenticated RCE↗2025-08-01

▶

GHSA

GHSA-w7gc-gxjh-pg78: An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2↗2025-08-01

▶