Arbitrary Command Execution Vulnerability in D-Link DSR Series Routers
CVE-2013-5946

Currently unrated

Key Information:

Vendor: D-Link
Status: Dsr-500 Firmware; Dsr-500
Vendor: CVE Published:; 19 December 2013

Summary

The D-Link DSR series routers have a vulnerability in the runShellCmd function within systemCheck.htm. This flaw allows remote attackers to execute arbitrary commands on devices by exploiting shell metacharacters in functions such as 'Ping or Trace an IP Address' and 'Perform a DNS Lookup.' The affected router models include DSR-150, DSR-150N, DSR-250, DSR-250N, DSR-500, DSR-500N, DSR-1000, and DSR-1000N, with specific firmware versions prior to certain updates being susceptible to these attacks. This vulnerability could lead to unauthorized access and control of the affected routers, posing a significant security risk.

References

http://tsd.dlink.com.tw/temp/PMD/12960/DSR-150N_A2_Releas...

x_refsource_CONFIRM

http://tsd.dlink.com.tw/temp/PMD/12879/DSR-500_500N_1000_...

x_refsource_CONFIRM

http://tsd.dlink.com.tw/temp/PMD/12966/DSR-150_A1_A2_Rele...

x_refsource_CONFIRM

EPSS Score

6% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
Dec 19, 2013
Vulnerability Reserved
Sep 27, 2013