Details of VAR-202508-0133

ID

VAR-202508-0133

CVE

CVE-2013-10048

TITLE

D-Link Corporation of DIR-300 firmware and DIR-600 in the firmware OS Command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2025-014665

DESCRIPTION

An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter. D-Link Corporation of DIR-300 firmware and DIR-600 The firmware has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2013-10048 // JVNDB: JVNDB-2025-014665

AFFECTED PRODUCTS

vendor:	dlink	model:	dir-600	scope:	lte	version:	2.14b01	Trust: 1.0
vendor:	dlink	model:	dir-300	scope:	lte	version:	2.13	Trust: 1.0
vendor:	d link	model:	dir-600	scope:	-	version:	-	Trust: 0.8
vendor:	d link	model:	dir-300	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2025-014665 // NVD: CVE-2013-10048

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-10048
value:	CRITICAL
Trust: 1.0
disclosure@vulncheck.com:	CVE-2013-10048
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2013-10048
value:	CRITICAL
Trust: 0.8

nvd@nist.gov:	CVE-2013-10048
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2013-10048
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-014665 // NVD: CVE-2013-10048 // NVD: CVE-2013-10048

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.0
problemtype:	OS Command injection (CWE-78) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-014665 // NVD: CVE-2013-10048

EXTERNAL IDS

db:	NVD	id:	CVE-2013-10048	Trust: 2.6
db:	EXPLOIT-DB	id:	27528	Trust: 1.8
db:	EXPLOIT-DB	id:	24453	Trust: 1.8
db:	JVNDB	id:	JVNDB-2025-014665	Trust: 0.8

sources: JVNDB: JVNDB-2025-014665 // NVD: CVE-2013-10048

REFERENCES

url:	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb	Trust: 1.8
url:	https://web.archive.org/web/20131022221648/http://www.s3cur1ty.de/m1adv2013-003	Trust: 1.8
url:	https://www.exploit-db.com/exploits/24453	Trust: 1.8
url:	https://www.exploit-db.com/exploits/27528	Trust: 1.8
url:	https://www.vulncheck.com/advisories/d-link-legacy-unauth-rce	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2013-10048	Trust: 0.8

sources: JVNDB: JVNDB-2025-014665 // NVD: CVE-2013-10048

SOURCES

db:	JVNDB	id:	JVNDB-2025-014665
db:	NVD	id:	CVE-2013-10048

LAST UPDATE DATE

2025-10-02T23:14:09.431000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-014665	date:	2025-09-30T07:34:00
db:	NVD	id:	CVE-2013-10048	date:	2025-09-23T17:41:57.273

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-014665	date:	2025-09-30T00:00:00
db:	NVD	id:	CVE-2013-10048	date:	2025-08-01T21:15:26.567