🔐 CVE Alert

CVE-2013-10048

UNKNOWN 0.0

D-Link Devices command.php Unauthenticated RCE

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.

CWE CWE-78
Vendor d-link
Product dir-600
Published Aug 1, 2025
Last Updated Apr 7, 2026
Stay Ahead of the Next One

Get instant alerts for d-link dir-600

Be the first to know when new unknown vulnerabilities affecting d-link dir-600 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

D-Link / DIR-600
* ≤ 2.14b01
D-Link / DIR-300
* ≤ 2.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb exploit-db.com: https://www.exploit-db.com/exploits/24453 exploit-db.com: https://www.exploit-db.com/exploits/27528 web.archive.org: https://web.archive.org/web/20131022221648/http://www.s3cur1ty.de/m1adv2013-003 vulncheck.com: https://www.vulncheck.com/advisories/d-link-legacy-unauth-rce

Credits

Michael Messner