216.73.217.22

CVE-2013-10048

· Published 01/08/2025 21:15 · Modified 01/08/2025 21:15

Labels: CVE-2013-10048 2025-08-01CVE-2013-10048CWE-78[email protected]

Essential information

Published
01/08/2025 21:15
Modified
01/08/2025 21:15
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
d-link / dir-300 cpe:2.3:a:d-link:dir-300:*:firmware:<2.13:*:*:*:*:*:*
d-link / dir-600 cpe:2.3:a:d-link:dir-600:*:firmware:<2.14b01:*:*:*:*:*:*

References