CVE-2013-10050 HIGH

CVE-2013-10050: D-Link Devices tools_vct.xgi Authenticated RCE

Vendor D-Link

Product DIR-300 rev A

Weakness CWE-78

Published August 1, 2025

Last update May 26, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An OS command injection vulnerability exists in multiple D-Link routers (confirmed on DIR-300 rev A v1.05 and DIR-615 rev D v4.13) via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life.

Key dates

02Disclosure timeline

August 1, 2025 CVE published

May 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2013-10050

Related vulnerabilities

Identifiers

CVE CVE-2013-10050

CWE CWE-78

CVSS 8.7 / HIGH

Affected versions

Vendor D-Link

Product DIR-300 rev A

Affected ≤ 1.05

Vendor D-Link

Product DIR-615 rev D

Affected ≤ 4.13

CVE-2013-10050: D-Link Devices tools_vct.xgi Authenticated RCE

01Description

02Disclosure timeline

03References

04Related CVE