An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 23 Sep 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dir-300
Dlink dir-300 Firmware
Dlink dir-615
Dlink dir-615 Firmware
CPEs cpe:2.3:h:dlink:dir-300:a:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-615:d:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-615_firmware:*:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dir-300
Dlink dir-300 Firmware
Dlink dir-615
Dlink dir-615 Firmware
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Tue, 05 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dir-300
D-link dir-615
Vendors & Products D-link
D-link dir-300
D-link dir-615

Mon, 04 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 01 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in multiple D-Link routers—confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)—via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.
Title D-Link Devices tools_vct.xgi Unauthenticated RCE
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-04T14:23:02.025Z

Reserved: 2025-08-01T15:02:17.383Z

Link: CVE-2013-10050

cve-icon Vulnrichment

Updated: 2025-08-04T14:22:55.699Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-01T21:15:26.923

Modified: 2025-09-23T17:38:12.313

Link: CVE-2013-10050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-05T11:39:03Z