CRITICAL🇵🇱 Wersja polska

CVE-2013-10048

CVSS 9.3v4.0pub. 2025-08-01upd. 2025-09-23

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Dlink Dir 300

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 300 Firmware

    OS
    Dlink
    ≤ 2.13
  • Dlink Dir 600

    HW
    Dlink
    wszystkie wersje
  • Dlink Dir 600 Firmware

    OS
    Dlink
    ≤ 2.14b01
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2018-25115CRITICAL10.0PL ✓ten sam produkt

D-Link DIR-series — nieuwierzytelniony command injection w service.cgi (root RCE)

CVE-2013-10069CRITICAL10.0PL ✓ten sam produkt

D-Link DIR-300/DIR-600 — nieuwierzytelniony OS command injection w command.php

CVE-2024-41616CRITICAL9.8PL ✓ten sam produkt

D-Link DIR-300: zakodowane na stałe dane uwierzytelniające w usłudze Telnet

CVE-2023-33625CRITICAL9.8ten sam produkt

D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulner...

CVE-2023-33626CRITICAL9.8ten sam produkt

D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a stack overflow via the g...