CVE-2013-10059
published 2025-08-01CVE-2013-10059: An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm…
PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
19.11%
97.0th percentile
An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d-link | dir-615h1 | <= 8.04 | — |
| dlink | dir-615h_firmware | <= 8.04 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests to the tools_vct.htm endpoint for the ping_ipaddr parameter containing backtick characters (`) which are used for shell command encapsulation/injection. ↗
- →Detect exploitation attempts by monitoring for outbound wget requests originating from D-Link DIR-615 devices, as the exploit converts the blind command injection into payload execution via wget. ↗
- →Alert on authentication attempts using default credentials (admin/admin or admin/password) against D-Link web interfaces, as exploitation requires authentication. ↗
- →A ping command against a controlled/external system from the target device can be used as a canary to confirm blind OS command injection exploitation. ↗
- ·Vulnerability is confirmed only on D-Link DIR-615 hardware revision H1 running firmware version 8.04; other hardware revisions or firmware versions may not be affected. ↗
- ·This is a blind OS command injection — there is no direct output returned to the attacker from the executed command, making detection via response inspection ineffective. ↗
- ·Exploitation requires prior authentication to the device web interface. ↗
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir615_up_exec.rbhttps://web.archive.org/web/20150921102603/http://www.s3cur1ty.de/m1adv2013-008https://www.exploit-db.com/exploits/24477https://www.exploit-db.com/exploits/25609https://www.vulncheck.com/advisories/d-link-legacy-os-command-injectionhttps://www.exploit-db.com/exploits/24477
2025-08-01
Published