Home

Description

An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.

PUBLISHED Reserved 2025-08-01 | Published 2025-08-01 | Updated 2026-04-07 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

* (semver)
affected

Default status
unaffected

* (semver)
affected

Credits

Michael Messner finder

References

www.exploit-db.com/raw/25024 exploit

raw.githubusercontent.com/...ttp/dlink_dir300_exec_telnet.rb exploit

www.exploit-db.com/exploits/25024 exploit

www.exploit-db.com/exploits/27428 exploit

web.archive.org/...3110/http://www.s3cur1ty.de/m1adv2013-014 technical-description exploit

www.vulncheck.com/advisories/d-link-legacy-unauth-rce-2 third-party-advisory

cve.org (CVE-2013-10050)

nvd.nist.gov (CVE-2013-10050)

Download JSON