CVE-2025-60671 is a command injection vulnerability identified in the firmware of the D-Link DIR-823G router, specifically version DIR823G_V1.0.2B05_20181207.bin. The flaw exists within the timelycheck and sysconf binaries, which process the /var/system/linux_vlan_reinit file. This file's content is only partially validated for a specific prefix before being formatted using the vsnprintf() function. Subsequently, the formatted string is executed via the system() call without sufficient sanitization, allowing an attacker who can write to the linux_vlan_reinit file to inject arbitrary commands. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). Exploitation requires the attacker to have write permissions to the target file, which may be achievable through other vulnerabilities or misconfigurations. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and limited impact on confidentiality and integrity but no impact on availability. No patches or known exploits are currently available, indicating the need for proactive mitigation and monitoring. This vulnerability could allow attackers to execute arbitrary commands on the router, potentially leading to unauthorized access, data leakage, or further network compromise.

For European organizations, exploitation of this vulnerability could lead to unauthorized command execution on affected D-Link DIR-823G routers, compromising the confidentiality and integrity of network traffic passing through these devices. Attackers could manipulate router configurations, intercept or redirect traffic, or establish persistent footholds within corporate networks. Although availability is not directly impacted, the breach of router integrity could facilitate broader network attacks or data exfiltration. Organizations relying on these routers for critical network infrastructure, especially in small to medium enterprises or branch offices, may face increased risk. The vulnerability's requirement for write access to a system file limits exploitation to attackers with some level of prior access or insider threat capabilities, but it remains a significant risk if combined with other vulnerabilities or weak access controls. The absence of patches increases exposure until firmware updates are released. Given the widespread use of D-Link routers in Europe, the threat could affect diverse sectors including government, finance, and telecommunications.

To mitigate CVE-2025-60671, European organizations should immediately audit and restrict write permissions to the /var/system/linux_vlan_reinit file on all affected D-Link DIR-823G routers, ensuring only trusted system processes have access. Network segmentation and strict access controls should be enforced to limit administrative access to router management interfaces. Implement continuous monitoring and alerting for unauthorized changes to critical system files and unusual command execution patterns on routers. Employ network intrusion detection systems (NIDS) to detect anomalous traffic indicative of exploitation attempts. Organizations should also maintain an inventory of all D-Link DIR-823G devices and track firmware versions to prioritize updates once patches become available. If possible, consider temporary replacement or isolation of vulnerable devices in high-risk environments. Additionally, review and harden router configurations to minimize exposure, disable unnecessary services, and enforce strong authentication mechanisms. Coordination with D-Link for timely patch deployment is essential once a fix is released.