Cyber Resilience

CVE-2013-10069

CriticalPublic PoCRCE

Published: 05 August 2025

Published
05 August 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v4 10.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.8115 99.2th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-10069 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dlink Dir-600 Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2013-10069 is an unauthenticated OS command injection vulnerability (CWE-78) in the web interface of multiple D-Link routers, specifically affecting DIR-600 rev B versions up to 2.14b01 and DIR-300 rev B versions up to 2.13. The flaw resides in the command.php script, which improperly handles the cmd POST parameter, allowing arbitrary command execution. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

A remote attacker can exploit this vulnerability without authentication by sending a crafted POST request to command.php. Successful exploitation enables the attacker to spawn a Telnet service on a port of their choice, providing persistent interactive shell access with root privileges. This grants full control over the device, including potential data exfiltration, further network pivoting, or deployment of persistent malware.

Advisories and related resources, such as the archived S3cur1ty.de bulletin (m1adv2013-003) and VulnCheck's advisory on D-Link devices, document the issue alongside public exploit code. A Metasploit auxiliary module (dlink_dir_300_600_exec_noauth) and Exploit-DB entries (e.g., 24453) demonstrate reliable exploitation paths for security testing. No specific patches are detailed in the provided references, underscoring the need for firmware upgrades where available or device replacement for end-of-support models.

EU & UK References

Vulnerability details

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw…

more

without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated OS command injection in exposed web interface enables T1190 exploitation and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2013-10048Same product: Dlink Dir-300
CVE-2013-10050Same product: Dlink Dir-300
CVE-2018-25115Same product: Dlink Dir-600
CVE-2018-25120Same vendor: Dlink
CVE-2025-25894Same vendor: Dlink
CVE-2026-2260Same vendor: Dlink
CVE-2026-4465Same vendor: Dlink
CVE-2026-2210Same vendor: Dlink
CVE-2026-8273Same vendor: Dlink
CVE-2025-15194Same product: Dlink Dir-600

Affected Assets

dlink
dir-600 firmware
≤ 2.14b01
dlink
dir-300 firmware
≤ 2.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation and sanitization of the cmd POST parameter in command.php.

prevent

Mandates timely remediation of the specific command injection flaw through firmware patching or upgrades for affected D-Link routers.

prevent

Prohibits unauthenticated actions on the web interface, blocking remote exploitation of command.php without identification or authentication.

References