CVE-2013-7389

Exploitation Summary

CVE-2013-7389 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including Roberto Paleari, Roberto Paleari, Craig Heffner, including a Metasploit module exploits/linux/http/dlink_authentication_cgi_bof.

AI-analyzed exploit summary The exploit details multiple vulnerabilities in D-Link DIR-645 firmware 1.03B08, including buffer overflows in 'post_login.xml', 'hedwig.cgi', and 'authentication.cgi', as well as XSS vulnerabilities in 'bind.php', 'info.php', and 'bsc_sms_send.php'. Proof-of-concept commands are provided for each vulnerability, demonstrating remote code execution and cross-site scripting.

Description

Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php.

Exploits (3)

exploitdb WORKING POC

by Roberto Paleari · textwebappshardware

https://www.exploit-db.com/exploits/27283

View Code ZIP pw:eip

The exploit details multiple vulnerabilities in D-Link DIR-645 firmware 1.03B08, including buffer overflows in 'post_login.xml', 'hedwig.cgi', and 'authentication.cgi', as well as XSS vulnerabilities in 'bind.php', 'info.php', and 'bsc_sms_send.php'. Proof-of-concept commands are provided for each vulnerability, demonstrating remote code execution and cross-site scripting.

Classification

Working Poc 90%

Attack Type

Rce | Xss

Complexity

Moderate

Reliability

Reliable

Target: D-Link DIR-645, firmware 1.03B08

No auth needed

Prerequisites: Network access to the target device · Curl or similar HTTP client

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Roberto Paleari, Craig Heffner · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow vulnerability in D-Link routers via the authentication.cgi endpoint by sending a maliciously crafted POST request with an overly long password field. It achieves remote code execution (RCE) by leveraging a cmdstager to execute arbitrary commands on the target device.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: D-Link DIR-645 firmware 1.03 (and other vulnerable firmwares such as DIR865LA1_FW101b06 and DIR845LA1_FW100b20)

No auth needed

Prerequisites: Network access to the vulnerable D-Link router · Target device must be running vulnerable firmware

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Roberto Paleari, Craig Heffner · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb

View Code ZIP pw:eip

This Metasploit module exploits a buffer overflow vulnerability in D-Link routers via the hedwig.cgi endpoint by sending a maliciously crafted cookie header. It achieves remote code execution by leveraging a stack-based overflow to control the instruction pointer and execute arbitrary commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600

No auth needed

Prerequisites: Network access to the vulnerable D-Link router · hedwig.cgi endpoint must be accessible

MITRE ATT&CK