CVE-2013-10050 – This CVE describes an authenticated OS command ... (How to Fix)

Q: What is the severity of CVE-2013-10050?

CVE-2013-10050 has a CVSS score of 8.8 (HIGH). This CVE describes an authenticated OS command injection vulnerability in multiple D-Link router models that allows attackers with valid credentials to execute arbitrary shell commands. Successful exploitation leads to full device compromise, including establishing root access via telnet. Affected devices are end-of-life D-Link routers with specific firmware versions exposing the vulnerable tools_vct.xgi endpoint.

📋 TL;DR

This CVE describes an authenticated OS command injection vulnerability in multiple D-Link router models that allows attackers with valid credentials to execute arbitrary shell commands. Successful exploitation leads to full device compromise, including establishing root access via telnet. Affected devices are end-of-life D-Link routers with specific firmware versions exposing the vulnerable tools_vct.xgi endpoint.

💻 Affected Systems

Products:

D-Link DIR-300 rev A
D-Link DIR-615 rev D

Versions: DIR-300 v1.05, DIR-615 v4.13 (and likely other versions with tools_vct.xgi endpoint)

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Mathopd/1.5p6 web server and exposed tools_vct.xgi CGI endpoint. Other D-Link models with similar firmware may be vulnerable.

📦 What is this software?

Dir 300 Firmware by Dlink

View all CVEs affecting Dir 300 Firmware →

Dir 615 Firmware by Dlink

View all CVEs affecting Dir 615 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise with persistent root access, allowing attackers to intercept all network traffic, install malware, pivot to internal networks, and create backdoors.

🟠

Likely Case

Attackers with valid credentials gain root shell access, enabling them to reconfigure the router, intercept traffic, and potentially compromise connected devices.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the router itself without lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Metasploit module available. Requires valid admin credentials. Exploitation is straightforward once credentials are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available. Affected devices are end-of-life and no longer supported by D-Link.

🔧 Temporary Workarounds

Disable web management interface

all

Disable the vulnerable web interface entirely to prevent exploitation

Router-specific configuration - typically through admin interface

Block access to tools_vct.xgi

linux

Use firewall rules to block access to the vulnerable endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "tools_vct.xgi" --algo bm -j DROP

🧯 If You Can't Patch

Replace affected routers with supported models
Implement strict network segmentation to isolate vulnerable routers

🔍 How to Verify

Check if Vulnerable:

Check if tools_vct.xgi endpoint exists and responds: curl -k 'http://router-ip/tools_vct.xgi'

Check Version:

Check router web interface or use: curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

Verify tools_vct.xgi endpoint is no longer accessible or returns error

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /tools_vct.xgi
Suspicious ping commands with shell metacharacters
Telnet service startup logs

Network Indicators:

Unexpected telnet connections to router
Unusual outbound traffic from router
Multiple failed login attempts followed by tools_vct.xgi access

SIEM Query:

source="router-logs" AND (uri="/tools_vct.xgi" OR cmd="telnetd")

📊 Metadata

CVE ID: CVE-2013-10050

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 61.92% exploit probability (98.3th percentile)

Published: August 1, 2025

Last Updated: September 23, 2025

🔗 References

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_dir300_exec_telnet.rb Exploit
https://web.archive.org/web/20140830203110/http://www.s3cur1ty.de/m1adv2013-014 Exploit,Third Party Advisory
https://www.exploit-db.com/exploits/25024 Exploit
https://www.exploit-db.com/exploits/27428 Exploit
https://www.vulncheck.com/advisories/d-link-legacy-unauth-rce-2 Third Party Advisory
https://www.exploit-db.com/raw/25024 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-10050, you might also want to check these: