The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 23 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dir-300
Dlink dir-300 Firmware
Dlink dir-600
Dlink dir-600 Firmware
CPEs cpe:2.3:h:dlink:dir-300:b:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dir-600:b:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-600_firmware:*:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dir-300
Dlink dir-300 Firmware
Dlink dir-600
Dlink dir-600 Firmware
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Thu, 07 Aug 2025 07:15:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dir-300
D-link dir-600
Vendors & Products D-link
D-link dir-300
D-link dir-600

Wed, 06 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 05 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Description The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.
Title D-Link Devices Unauthenticated RCE
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2025-08-06T17:54:33.683Z

Reserved: 2025-08-05T15:25:58.765Z

Link: CVE-2013-10069

cve-icon Vulnrichment

Updated: 2025-08-06T17:54:29.491Z

cve-icon NVD

Status : Analyzed

Published: 2025-08-05T20:15:35.690

Modified: 2025-09-23T18:37:48.680

Link: CVE-2013-10069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2025-08-06T15:12:50Z