CVE-2025-60672 is a critical security vulnerability identified in the D-Link DIR-878A1 router firmware version FW101B04.bin. The vulnerability arises from improper input validation and command construction in the 'SetDynamicDNSSettings' functionality exposed via the prog.cgi interface. Specifically, the 'ServerAddress' and 'Hostname' parameters, which are intended for dynamic DNS configuration, are stored directly into NVRAM without sanitization. Subsequently, these parameters are incorporated into system commands executed by the rc script through the twsystem() function, which executes shell commands. Because the parameters are not sanitized, an attacker can inject arbitrary shell commands by crafting malicious input. The vulnerability is exploitable remotely over HTTP without any authentication, meaning an attacker can send a specially crafted HTTP request to the router's management interface and gain arbitrary command execution. This level of access allows attackers to fully compromise the device, potentially pivoting into internal networks, intercepting or modifying traffic, or disrupting network availability. No CVSS score has been assigned yet, and no patches or mitigations have been officially released. The vulnerability was reserved in late September 2025 and published in November 2025. Although no known exploits are currently in the wild, the ease of exploitation and impact make this a high-risk threat. The affected firmware version is FW101B04.bin, but no further version details are provided, so all devices running this firmware should be considered vulnerable. The attack vector is remote and unauthenticated, increasing the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. Compromise of the D-Link DIR-878A1 routers can lead to full device takeover, enabling attackers to intercept sensitive communications, manipulate network traffic, or launch further attacks within internal networks. This is particularly critical for organizations handling sensitive personal data under GDPR, critical infrastructure providers, and enterprises relying on these routers for secure connectivity. The unauthenticated nature of the exploit means that attackers can operate without insider access or credentials, increasing the likelihood of widespread exploitation if the vulnerability becomes publicly known. Disruption or compromise of network devices can lead to data breaches, service outages, and reputational damage. Additionally, routers are often overlooked in patch management, increasing exposure duration. The lack of available patches or mitigations at present exacerbates the risk. European organizations with remote management enabled on these routers are especially vulnerable, as the attack requires only network access to the management interface.

1. Immediately restrict access to the router's management interface by disabling remote management over the internet or limiting access to trusted IP addresses only. 2. Monitor network traffic for unusual HTTP requests targeting prog.cgi or containing suspicious parameters related to DynamicDNS settings. 3. If possible, disable DynamicDNS features temporarily until a patch is available. 4. Regularly audit and inventory network devices to identify any running the vulnerable firmware version FW101B04.bin. 5. Engage with D-Link support or official channels to obtain firmware updates or patches as soon as they are released. 6. Implement network segmentation to isolate critical systems from vulnerable routers. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns or anomalous HTTP requests. 8. Educate IT staff about this vulnerability and encourage rapid response to any suspicious activity. 9. Consider replacing vulnerable devices if patches are not forthcoming within a reasonable timeframe. 10. Maintain backups of router configurations and logs for forensic analysis if compromise is suspected.