216.73.217.22

CVE-2013-10050

· Published 01/08/2025 21:15 · Modified 01/08/2025 21:15

Labels: CVE-2013-10050 2025-08-01CVE-2013-10050CWE-78[email protected]

Essential information

Published
01/08/2025 21:15
Modified
01/08/2025 21:15
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
d-link / dir-300 cpe:2.3:a:d-link:dir-300:1.05:*:*:*:*:*:*:*
d-link / dir-615 cpe:2.3:a:d-link:dir-615:4.13:*:*:*:*:*:*:*

References