The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root.
The vulnerability results from improper handling of a POST parameter named 'cmd' in the command.php file — user input is passed directly to a system call without proper validation or sanitization (CWE-78). An attacker can craft an appropriate HTTP request and inject arbitrary operating system commands. The described example of exploitation is running the Telnet service on a specified port, which provides persistent, interactive access to the system shell with root privileges.
The attacker gains full, persistent access to the operating system shell with root privileges without needing any credentials, enabling complete device takeover, modification of its configuration, and further lateral movement in the network.
Patches available from the manufacturer should be applied according to references. Due to the age of the devices and lack of active manufacturer support, replacement with a newer model covered by support is recommended. As an interim workaround, access to the router's web interface from external networks should be blocked and local access should be restricted only to trusted hosts using a firewall.
D-Link DIR-600 rev B with firmware version ≤2.14b01 and D-Link DIR-300 rev B with firmware version ≤2.13
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XDlink Dir 300
HWDlinkbDlink Dir 300 Firmware
OSDlink≤ 2.13Dlink Dir 600
HWDlinkbDlink Dir 600 Firmware
OSDlink≤ 2.14b01
Related vulnerabilities
D-Link DIR-series — nieuwierzytelniony command injection w service.cgi (root RCE)
D-Link DIR-300/DIR-600: nieuwierzytelniony command injection z uprawnieniami root
D-Link DIR-300: zakodowane na stałe dane uwierzytelniające w usłudze Telnet
D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a command injection vulner...
D-Link DIR-600 Hardware Version B5, Firmware Version 2.18 was discovered to contain a stack overflow via the g...