CVE-2013-10048
Published: 01 August 2025
Summary
CVE-2013-10048 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-300 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates OS command injection by requiring validation and sanitization of the untrusted 'cmd' parameter in command.php.
Enforces access control policies to block unauthenticated access to the vulnerable command.php endpoint.
Requires timely identification, reporting, and remediation of the command injection flaw through firmware updates.
NVD Description
An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote…
more
attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.
Deeper analysisAI
CVE-2013-10048 is an OS command injection vulnerability (CWE-78) affecting legacy D-Link routers, including the DIR-300 revision B with firmware versions up to 2.13 and the DIR-600 with firmware versions up to 2.14b01. The issue arises in the unauthenticated command.php endpoint due to improper input handling and inadequate sanitization of the "cmd" parameter, enabling injection of arbitrary operating system commands. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, and no privileges required.
A remote attacker can exploit this vulnerability by sending specially crafted POST requests to the command.php endpoint, requiring no authentication. This allows execution of arbitrary shell commands with root privileges, resulting in full takeover of the affected device. Potential impacts include launching services such as Telnet, exfiltrating credentials, modifying system configurations, and disrupting device availability.
Advisories such as S3cur1ty.de's m1adv2013-003 (archived) and Vulncheck's advisory detail the vulnerability, while public proof-of-concept exploits are available on Exploit-DB (24453, 27528) and as a Metasploit module (linux/http/dlink_command_php_exec_noauth). These resources highlight the lack of authentication and poor input sanitization as root causes, with mitigation centered on upgrading to firmware versions beyond 2.13 for DIR-300 rev B and 2.14b01 for DIR-600.
The vulnerability has been publicly documented since at least 2013, with multiple exploit implementations indicating potential for real-world abuse against unpatched legacy devices still in use.
Details
- CWE(s)