CVE-2013-10048

Name of the Vulnerable Software and Affected Versions D-Link DIR-300 rev B versions prior to firmware 2.14b01 D-Link DIR-600 versions prior to firmware 2.14b01 D-Link DIR-600 versions prior to firmware 2.13

Description An OS command injection vulnerability exists in various legacy D-Link routers due to improper input handling. A remote attacker can execute arbitrary shell commands with root privileges by sending specially crafted POST requests to the /command.php endpoint. This allows for full device takeover, including launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The vulnerability stems from a lack of authentication and inadequate sanitation of the cmd parameter.

Recommendations Update D-Link DIR-300 rev B to firmware version 2.14b01 or later. Update D-Link DIR-600 to firmware version 2.14b01 or later. Update D-Link DIR-600 to firmware version 2.13 or later.