An OS command injection vulnerability exists in various legacy D-Link routers—including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)—due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XDlink Dir 300
HWDlinkwszystkie wersjeDlink Dir 300 Firmware
OSDlink≤ 2.13Dlink Dir 600
HWDlinkwszystkie wersjeDlink Dir 600 Firmware
OSDlink≤ 2.14b01
Related vulnerabilities
D-Link DIR-series — nieuwierzytelniony command injection w service.cgi (root RCE)
D-Link DIR-300/DIR-600 — nieuwierzytelniony OS command injection w command.php
D-Link DIR-300: zakodowane na stałe dane uwierzytelniające w usłudze Telnet
D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulner...
D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a stack overflow via the g...