CVE-2013-10050
Published: 01 August 2025
Summary
CVE-2013-10050 is a high-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-300 Firmware. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of user-supplied input in the pingIp parameter to block OS command injection in the tools_vct.xgi CGI endpoint.
Prohibits the use of end-of-life D-Link routers with unpatched firmware exposing the vulnerable tools_vct.xgi endpoint.
Requires timely identification and remediation of the known OS command injection flaw, such as through device isolation or retirement since no vendor patch exists.
NVD Description
An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers…
more
with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.
Deeper analysisAI
An OS command injection vulnerability, classified under CWE-78, affects multiple D-Link routers, with confirmation on DIR-300 revision A running firmware v1.05 and DIR-615 revision D running v4.13. The issue resides in the authenticated tools_vct.xgi CGI endpoint within the web interface, which fails to properly sanitize user-supplied input in the pingIp parameter. This allows injection of arbitrary shell commands. The vulnerability is present in firmware versions that expose the tools_vct.xgi endpoint and utilize the Mathopd/1.5p6 web server. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers with valid credentials can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious input for the pingIp parameter, they can execute arbitrary shell commands, leading to full device compromise. Successful exploitation enables capabilities such as spawning a telnet daemon and obtaining a root shell.
Advisories and references, including a Metasploit module for the DIR-300, an archived 2013 advisory from s3cur1ty.de, Exploit-DB entries (25024 and 27428), and a Vulncheck advisory, document public exploits but note no vendor patch is available, as affected models are end-of-life. Mitigation relies on isolating or retiring vulnerable devices, as no firmware updates exist.
Details
- CWE(s)