Cyber Resilience

CVE-2013-10048

CriticalPublic PoCRCE

Published: 01 August 2025

Published
01 August 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.7558 98.9th percentile
Risk Priority 64 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-10048 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-300 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2013-10048 is an OS command injection vulnerability (CWE-78) affecting legacy D-Link routers, including the DIR-300 revision B with firmware versions up to 2.13 and the DIR-600 with firmware versions up to 2.14b01. The issue arises in the unauthenticated command.php endpoint due to improper input handling and inadequate sanitization of the "cmd" parameter, enabling injection of arbitrary operating system commands. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, and no privileges required.

A remote attacker can exploit this vulnerability by sending specially crafted POST requests to the command.php endpoint, requiring no authentication. This allows execution of arbitrary shell commands with root privileges, resulting in full takeover of the affected device. Potential impacts include launching services such as Telnet, exfiltrating credentials, modifying system configurations, and disrupting device availability.

Advisories such as S3cur1ty.de's m1adv2013-003 (archived) and Vulncheck's advisory detail the vulnerability, while public proof-of-concept exploits are available on Exploit-DB (24453, 27528) and as a Metasploit module (linux/http/dlink_command_php_exec_noauth). These resources highlight the lack of authentication and poor input sanitization as root causes, with mitigation centered on upgrading to firmware versions beyond 2.13 for DIR-300 rev B and 2.14b01 for DIR-600.

The vulnerability has been publicly documented since at least 2013, with multiple exploit implementations indicating potential for real-world abuse against unpatched legacy devices still in use.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote…

more

attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated RCE via command injection on public-facing router web endpoint enables T1190; arbitrary root shell command execution maps to T1059.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2013-10069Same product: Dlink Dir-300
CVE-2013-10050Same product: Dlink Dir-300
CVE-2018-25115Same product: Dlink Dir-600
CVE-2018-25120Same vendor: Dlink
CVE-2025-25894Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2025-15194Same product: Dlink Dir-600

Affected Assets

dlink
dir-300 firmware
≤ 2.13
dlink
dir-600 firmware
≤ 2.14b01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates OS command injection by requiring validation and sanitization of the untrusted 'cmd' parameter in command.php.

prevent

Enforces access control policies to block unauthenticated access to the vulnerable command.php endpoint.

prevent

Requires timely identification, reporting, and remediation of the command injection flaw through firmware updates.

References