CVE-2013-10059 HIGH

CVE-2013-10059: D-Link Routers tools_vct.htm OS Command Injection

Vendor D-Link

Product DIR-615H1

Weakness CWE-78

Published August 1, 2025

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.

Key dates

02Disclosure timeline

August 1, 2025 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2013-10059

Related vulnerabilities

CVE-2013-10059: D-Link Routers tools_vct.htm OS Command Injection

01Description

02Disclosure timeline

03References

04Related CVE