CVE-2013-10059
HIGHCVSS v3
7.2
HIGH
EPSS Score
50.8%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.
Technical Details
- Published
- 8/1/2025
Frequently Asked Questions
What is CVE-2013-10059?
An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands.
Is CVE-2013-10059 actively exploited?
Active exploitation of CVE-2013-10059 has not been confirmed. The EPSS score is 50.8%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2013-10059?
CVE-2013-10059 has a CVSS v3 base score of 7.2 (HIGH severity).
Is CVE-2013-10059 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.