QwikSec

Security Database

CVE

CWE

Training

CVE-2013-10059

Published: Aug 1, 2025

Modified: May 15, 2026

PUBLISHED

Description

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Vendor	Product	Versions
D-Link	DIR-615H1	affected `0 - <= 8.04`

Weaknesses (CWE)

References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir615_up_exec.rb

exploit

https://www.exploit-db.com/exploits/24477

exploit

https://www.exploit-db.com/exploits/25609

exploit

https://web.archive.org/web/20150921102603/http://www.s3cur1ty.de/m1adv2013-008

technical-description

exploit

https://www.vulncheck.com/advisories/d-link-legacy-os-command-injection

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.