CVE-2013-10050

CWE-78 — OS Command Injection3 documents3 sources

Severity

8.7HIGH

EPSS

61.9%

top 1.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

D-link Dir-300 REV A D-link Dir-615 REV D Dlink Dir-300 Firmware +1 more

Timeline

PublishedAug 1

Description

An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmwa…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDdlink/dir-300_firmware1.05

▶NVDdlink/dir-615_firmware4.13

▶CVEListV5d-link/dir-300_rev_a* — 1.05

▶CVEListV5d-link/dir-615_rev_d* — 4.13

🔴Vulnerability Details

GHSA

GHSA-2cvr-c5hj-x7rm: An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1↗2025-08-01

▶

CVEList

D-Link Devices tools_vct.xgi Unauthenticated RCE↗2025-08-01

▶