CVE-2013-10069

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb	Exploit
https://web.archive.org/web/20150428184723/http://www.s3cur1ty.de/m1adv2013-003	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/24453	Exploit
https://www.vulncheck.com/advisories/dlink-devices-unauth-rce	Third Party Advisory
https://www.exploit-db.com/exploits/24453	Exploit

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:dlink:dir-600_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-600:b:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:dlink:dir-300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:dlink:dir-300:b:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-05 20:15

Updated : 2025-09-23 18:37

NVD link : CVE-2013-10069

Mitre link : CVE-2013-10069

CVE.ORG link : CVE-2013-10069

JSON object : View

Products Affected

dlink

dir-600
dir-300_firmware
dir-300
dir-600_firmware

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2013-10069", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-05T20:15:35.690", "references": [{"url": "https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/dlink_dir_300_600_exec_noauth.rb", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://web.archive.org/web/20150428184723/http://www.s3cur1ty.de/m1adv2013-003", "tags": ["Exploit", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/24453", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/dlink-devices-unauth-rce", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/24453", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "The web interface of multiple D-Link routers, including DIR-600 rev B (\u22642.14b01) and DIR-300 rev B (\u22642.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root."}, {"lang": "es", "value": "La interfaz web de varios routers D-Link, incluyendo el DIR-600 rev B (?2.14b01) y el DIR-300 rev B (?2.13), contiene una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo no autenticados en command.php, que gestiona incorrectamente el par\u00e1metro POST cmd. Un atacante remoto puede explotar esta vulnerabilidad sin autenticaci\u00f3n para generar un servicio Telnet en un puerto espec\u00edfico, lo que permite el acceso persistente al shell interactivo como root."}], "lastModified": "2025-09-23T18:37:48.680", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dir-600_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F87BB64-EF06-4511-9F07-231D4045CE45", "versionEndIncluding": "2.14b01"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dir-600:b:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AC7A081E-5CA0-4B32-97B6-B9B0BACDF2ED"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:dlink:dir-300_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB8FDB5F-A68F-4548-8329-40BDBF70479A", "versionEndIncluding": "2.13"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:dlink:dir-300:b:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "3C94BE4B-01ED-4300-AEA0-498D3DCF608D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "[email protected]"}