Unrated severityNVD Advisory· Published Aug 1, 2025· Updated Apr 7, 2026

D-Link Routers tools_vct.htm OS Command Injection

CVE-2013-10059

Description

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Affected products

Dlink/Dir 615llm-fuzzy
Range: = firmware 8.04 (H1)
D-Link/DIR-615H1v5
Range: *

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir615_up_exec.rbmitreexploit
web.archive.org/web/20150921102603/http://www.s3cur1ty.de/m1adv2013-008mitretechnical-descriptionexploit
www.exploit-db.com/exploits/24477mitreexploit
www.exploit-db.com/exploits/25609mitreexploit
www.vulncheck.com/advisories/d-link-legacy-os-command-injectionmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.044
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000