Cyber Resilience

CVE-2013-10050

HighPublic PoCRCEUpdated

Published: 01 August 2025

Published
01 August 2025
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8093 99.2th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-10050 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-300 Firmware. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

An OS command injection vulnerability, classified under CWE-78, affects multiple D-Link routers, with confirmation on DIR-300 revision A running firmware v1.05 and DIR-615 revision D running v4.13. The issue resides in the authenticated tools_vct.xgi CGI endpoint within the web interface, which fails to properly sanitize user-supplied input in the pingIp parameter. This allows injection of arbitrary shell commands. The vulnerability is present in firmware versions that expose the tools_vct.xgi endpoint and utilize the Mathopd/1.5p6 web server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers with valid credentials can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious input for the pingIp parameter, they can execute arbitrary shell commands, leading to full device compromise. Successful exploitation enables capabilities such as spawning a telnet daemon and obtaining a root shell.

Advisories and references, including a Metasploit module for the DIR-300, an archived 2013 advisory from s3cur1ty.de, Exploit-DB entries (25024 and 27428), and a Vulncheck advisory, document public exploits but note no vendor patch is available, as affected models are end-of-life. Mitigation relies on isolating or retiring vulnerable devices, as no firmware updates exist.

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in multiple D-Link routers (confirmed on DIR-300 rev A v1.05 and DIR-615 rev D v4.13) via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter,…

more

allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated OS command injection in public-facing web CGI endpoint directly enables remote exploitation of the application (T1190) to execute arbitrary Unix shell commands (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2013-10048Same product: Dlink Dir-300
CVE-2013-10069Same product: Dlink Dir-300
CVE-2026-2151Same product: Dlink Dir-615
CVE-2026-2152Same product: Dlink Dir-615
CVE-2018-25115Same product: Dlink Dir-615
CVE-2026-1505Same product: Dlink Dir-615
CVE-2018-25120Same vendor: Dlink
CVE-2025-25894Same vendor: Dlink
CVE-2026-1448Same product: Dlink Dir-615
CVE-2026-1506Same product: Dlink Dir-615

Affected Assets

dlink
dir-300 firmware
≤ 1.05
dlink
dir-615 firmware
≤ 4.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the pingIp parameter in tools_vct.xgi to block OS command injection.

prevent

Requires disabling or removing the unnecessary tools_vct.xgi CGI endpoint and ping functionality that enables the injection.

prevent

Limits privileges of authenticated web-interface accounts so command injection cannot immediately yield root shell access.

References