CVE-2025-60672: n/a
An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.
AI Analysis
Technical Summary
CVE-2025-60672 is a command injection vulnerability identified in the D-Link DIR-878A1 router firmware version FW101B04.bin. The flaw resides in the 'SetDynamicDNSSettings' functionality exposed via the prog.cgi interface. Specifically, the parameters 'ServerAddress' and 'Hostname' are accepted from HTTP requests and stored directly into the router's NVRAM without proper sanitization or validation. These stored values are later incorporated into system commands executed by the router's rc script using the twsystem() function, which executes shell commands. Because the input is not sanitized, an attacker can inject arbitrary shell commands through these parameters. The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, making it particularly dangerous. Successful exploitation allows an attacker to execute arbitrary commands on the router with root privileges, potentially leading to device compromise, interception or manipulation of network traffic, and pivoting into internal networks. The CVSS 3.1 base score is 6.5, reflecting a medium severity level due to the lack of impact on availability and the moderate impact on confidentiality and integrity. No patches or exploits are currently publicly known, but the vulnerability poses a significant risk given the ease of exploitation and the critical role of routers in network infrastructure.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network security and data confidentiality. Compromise of the D-Link DIR-878A1 routers could allow attackers to intercept, modify, or redirect network traffic, leading to data breaches or espionage. The ability to execute arbitrary commands could enable attackers to install persistent malware, create backdoors, or disrupt network operations. Since the exploit requires no authentication and can be triggered remotely, exposed routers with remote management enabled are particularly vulnerable. This could impact enterprises, ISPs, and home users relying on this router model. The confidentiality and integrity of sensitive communications and internal networks could be compromised, potentially affecting compliance with GDPR and other data protection regulations. The lack of availability impact reduces the risk of denial-of-service but does not diminish the threat to data security and network trustworthiness.
Mitigation Recommendations
1. Immediately check for and apply any official firmware updates from D-Link addressing this vulnerability. 2. If no patch is available, disable remote management interfaces (e.g., WAN-side HTTP/HTTPS access) to prevent external exploitation. 3. Restrict access to the router’s management interface to trusted internal networks only. 4. Implement network segmentation to isolate critical systems from potentially compromised routers. 5. Monitor network traffic for unusual patterns that may indicate exploitation attempts. 6. Replace affected devices with models confirmed to be free of this vulnerability if patching is not feasible. 7. Educate users and administrators about the risks of exposing router management interfaces to the internet. 8. Employ intrusion detection/prevention systems to detect command injection attempts targeting routers. 9. Regularly audit router configurations to ensure no unauthorized changes have been made. 10. Consider using alternative DNS update mechanisms that do not rely on vulnerable router functions.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2025-60672: n/a
Description
An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.
AI-Powered Analysis
Technical Analysis
CVE-2025-60672 is a command injection vulnerability identified in the D-Link DIR-878A1 router firmware version FW101B04.bin. The flaw resides in the 'SetDynamicDNSSettings' functionality exposed via the prog.cgi interface. Specifically, the parameters 'ServerAddress' and 'Hostname' are accepted from HTTP requests and stored directly into the router's NVRAM without proper sanitization or validation. These stored values are later incorporated into system commands executed by the router's rc script using the twsystem() function, which executes shell commands. Because the input is not sanitized, an attacker can inject arbitrary shell commands through these parameters. The vulnerability is exploitable remotely over the network without requiring any authentication or user interaction, making it particularly dangerous. Successful exploitation allows an attacker to execute arbitrary commands on the router with root privileges, potentially leading to device compromise, interception or manipulation of network traffic, and pivoting into internal networks. The CVSS 3.1 base score is 6.5, reflecting a medium severity level due to the lack of impact on availability and the moderate impact on confidentiality and integrity. No patches or exploits are currently publicly known, but the vulnerability poses a significant risk given the ease of exploitation and the critical role of routers in network infrastructure.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network security and data confidentiality. Compromise of the D-Link DIR-878A1 routers could allow attackers to intercept, modify, or redirect network traffic, leading to data breaches or espionage. The ability to execute arbitrary commands could enable attackers to install persistent malware, create backdoors, or disrupt network operations. Since the exploit requires no authentication and can be triggered remotely, exposed routers with remote management enabled are particularly vulnerable. This could impact enterprises, ISPs, and home users relying on this router model. The confidentiality and integrity of sensitive communications and internal networks could be compromised, potentially affecting compliance with GDPR and other data protection regulations. The lack of availability impact reduces the risk of denial-of-service but does not diminish the threat to data security and network trustworthiness.
Mitigation Recommendations
1. Immediately check for and apply any official firmware updates from D-Link addressing this vulnerability. 2. If no patch is available, disable remote management interfaces (e.g., WAN-side HTTP/HTTPS access) to prevent external exploitation. 3. Restrict access to the router’s management interface to trusted internal networks only. 4. Implement network segmentation to isolate critical systems from potentially compromised routers. 5. Monitor network traffic for unusual patterns that may indicate exploitation attempts. 6. Replace affected devices with models confirmed to be free of this vulnerability if patching is not feasible. 7. Educate users and administrators about the risks of exposing router management interfaces to the internet. 8. Employ intrusion detection/prevention systems to detect command injection attempts targeting routers. 9. Regularly audit router configurations to ensure no unauthorized changes have been made. 10. Consider using alternative DNS update mechanisms that do not rely on vulnerable router functions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2025-09-26T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6916279419431ce75c50bd78
Added to database: 11/13/2025, 6:46:44 PM
Last enriched: 11/20/2025, 7:40:07 PM
Last updated: 12/29/2025, 10:29:39 AM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15183: SQL Injection in code-projects Refugee Food Management System
MediumCVE-2025-15182: SQL Injection in code-projects Refugee Food Management System
MediumHacker Claims Theft of 40 Million Condé Nast Records After Wired Data Leak
MediumCVE-2025-15181: SQL Injection in code-projects Refugee Food Management System
MediumCVE-2025-15180: Stack-based Buffer Overflow in Tenda WH450
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.