An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 23 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:dlink:dir-615h_firmware:8.04:*:*:*:*:*:*:* cpe:2.3:o:dlink:dir-615h_firmware:*:*:*:*:*:*:*:*

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dir-615h
Dlink dir-615h Firmware
CPEs cpe:2.3:h:dlink:dir-615h:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-615h_firmware:8.04:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dir-615h
Dlink dir-615h Firmware
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Tue, 05 Aug 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dir-615
Vendors & Products D-link
D-link dir-615

Mon, 04 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 01 Aug 2025 21:00:00 +0000

Type Values Removed Values Added
Description An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.
Title D-Link Routers tools_vct.htm OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-04T14:23:46.719Z

Reserved: 2025-08-01T17:05:01.077Z

Link: CVE-2013-10059

cve-icon Vulnrichment

Updated: 2025-08-04T14:23:40.550Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-01T21:15:28.000

Modified: 2025-09-23T19:10:54.760

Link: CVE-2013-10059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-05T11:39:01Z