CVE-2013-10059

HIGH

D-Link DIR-615H1 <8.04 - Command Injection

Title source: llm

Description

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Exploits (3)

exploitdb WORKING POC

by m-1-k-3 · textwebappshardware

https://www.exploit-db.com/exploits/24477

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotehardware

https://www.exploit-db.com/exploits/25609

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_dir615_up_exec.rb

View Code ZIP pw:eip

References (5)

[Exploit] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir615_up_exec.rb

[Third Party Advisory] https://web.archive.org/web/20150921102603/http://www.s3cur1ty.de/m1adv2013-008

[Exploit] https://www.exploit-db.com/exploits/24477

[Exploit] https://www.exploit-db.com/exploits/25609

[Third Party Advisory] https://www.vulncheck.com/advisories/d-link-legacy-os-command-injection

Scores

CVSS v3 7.2

EPSS 0.5083

EPSS Percentile 97.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (1)

dlink/dir-615h_firmware < 8.04

Timeline

Published Aug 01, 2025

Tracked Since Feb 18, 2026