cbcvebase.
CVE-2013-10059
published 2025-08-01

CVE-2013-10059: An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm…

PriorityP266high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
19.11%
97.0th percentile
An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Affected

2 ranges
VendorProductVersion rangeFixed in
d-linkdir-615h1<= 8.04
dlinkdir-615h_firmware<= 8.04

Detection & IOCsextracted from sources · hover to see the quote

urltools_vct.htm
otherping_ipaddr
  • Monitor HTTP requests to the tools_vct.htm endpoint for the ping_ipaddr parameter containing backtick characters (`) which are used for shell command encapsulation/injection.
  • Detect exploitation attempts by monitoring for outbound wget requests originating from D-Link DIR-615 devices, as the exploit converts the blind command injection into payload execution via wget.
  • Alert on authentication attempts using default credentials (admin/admin or admin/password) against D-Link web interfaces, as exploitation requires authentication.
  • A ping command against a controlled/external system from the target device can be used as a canary to confirm blind OS command injection exploitation.
  • ·Vulnerability is confirmed only on D-Link DIR-615 hardware revision H1 running firmware version 8.04; other hardware revisions or firmware versions may not be affected.
  • ·This is a blind OS command injection — there is no direct output returned to the attacker from the executed command, making detection via response inspection ineffective.
  • ·Exploitation requires prior authentication to the device web interface.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.6HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.