Details of VAR-202508-0048

ID

VAR-202508-0048

CVE

CVE-2013-10059

TITLE

D-Link DIR-615H1 Command Injection Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2025-18478

DESCRIPTION

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands. The D-Link DIR-615H1 is a wireless router from D-Link, a Chinese company. The D-Link DIR-615H1 suffers from a command injection vulnerability caused by insufficient input sanitization in the tools_vct.htm endpoint. This vulnerability could allow an attacker to cause remote code execution

Trust: 1.44

sources: NVD: CVE-2013-10059 // CNVD: CNVD-2025-18478

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-18478

AFFECTED PRODUCTS

vendor:

d link

model:

dir-615h1

scope:

version:

8.04

Trust: 0.6

sources: CNVD: CNVD-2025-18478

CVSS

SEVERITY

CVSSV2

CVSSV3

disclosure@vulncheck.com:	CVE-2013-10059
value:	HIGH
Trust: 1.0
CNVD:	CNVD-2025-18478
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2025-18478
severity:	HIGH
baseScore:	8.3
vectorString:	AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.4
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2025-18478 // NVD: CVE-2013-10059

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2013-10059

EXTERNAL IDS

db:	NVD	id:	CVE-2013-10059	Trust: 1.6
db:	EXPLOIT-DB	id:	25609	Trust: 1.0
db:	EXPLOIT-DB	id:	24477	Trust: 1.0
db:	CNVD	id:	CNVD-2025-18478	Trust: 0.6

sources: CNVD: CNVD-2025-18478 // NVD: CVE-2013-10059

REFERENCES

url:	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir615_up_exec.rb	Trust: 1.0
url:	https://web.archive.org/web/20150921102603/http://www.s3cur1ty.de/m1adv2013-008	Trust: 1.0
url:	https://www.vulncheck.com/advisories/d-link-legacy-os-command-injection	Trust: 1.0
url:	https://www.exploit-db.com/exploits/24477	Trust: 1.0
url:	https://www.exploit-db.com/exploits/25609	Trust: 1.0
url:	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/	Trust: 0.6

sources: CNVD: CNVD-2025-18478 // NVD: CVE-2013-10059

SOURCES

db:	CNVD	id:	CNVD-2025-18478
db:	NVD	id:	CVE-2013-10059

LAST UPDATE DATE

2025-08-15T23:19:25.537000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-18478	date:	2025-08-14T00:00:00
db:	NVD	id:	CVE-2013-10059	date:	2025-08-04T15:15:30.600

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-18478	date:	2025-08-14T00:00:00
db:	NVD	id:	CVE-2013-10059	date:	2025-08-01T21:15:28