CVE-2013-10050

CVSS v2.0

9.0

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions D-Link DIR-300 version 1.05 D-Link DIR-615 version 4.13

Description An OS command injection vulnerability exists in multiple D-Link routers via the authenticated

tools vct.xgi

CGI endpoint. The web interface does not properly sanitize user-supplied input in the

pingIp

parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Successful exploitation can lead to full device compromise, including the ability to spawn a telnet daemon and establish a root shell. The vulnerability is present in firmware versions that expose

tools vct.xgi

and use the Mathopd/1.5p6 web server.

Recommendations D-Link DIR-300 version 1.05: At the moment, there is no information about a newer version that contains a fix for this vulnerability. D-Link DIR-615 version 4.13: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

BDU:2025-09523

CVE-2013-10050

Affected Products

D-Link Dir-300

D-Link Dir-615

CVE-2013-10050

Weakness Enumeration

Related Identifiers

Affected Products

References · 10