CVE-2025-60673 is a critical unauthenticated command injection vulnerability found in the D-Link DIR-878A1 router firmware version FW101B04.bin. The flaw exists in the 'SetDMZSettings' functionality exposed via the prog.cgi interface. Specifically, the 'IPAddress' parameter is accepted from an HTTP request and stored directly into the router's NVRAM without proper validation or sanitization. Later, the vulnerable library librcm.so reads this stored IP address and uses it to construct iptables firewall commands, which are executed through the twsystem() function. Because twsystem() executes shell commands, an attacker can inject arbitrary shell commands by manipulating the 'IPAddress' parameter. This vulnerability can be exploited remotely without any authentication or user interaction, making it highly dangerous. Successful exploitation grants the attacker arbitrary command execution on the router, allowing them to manipulate network traffic, install persistent malware, or pivot into internal networks. The vulnerability was reserved in late September 2025 and published in November 2025, but no official CVSS score or patch links are available yet. There are no known exploits in the wild at the time of publication, but the ease of exploitation and potential impact make it a significant threat. The lack of authentication and the direct execution of attacker-controlled input in system commands highlight a severe design flaw in the firmware's input validation and command execution logic.

For European organizations, this vulnerability poses a substantial risk to network security and operational continuity. Compromise of the D-Link DIR-878A1 routers could lead to unauthorized access to internal networks, interception or manipulation of sensitive data, and disruption of network services. Critical infrastructure sectors such as finance, healthcare, government, and telecommunications that rely on these routers for perimeter defense or internal segmentation could face severe operational impacts. Attackers could establish persistent backdoors, launch further attacks within the network, or exfiltrate confidential information. The unauthenticated nature of the exploit means attackers can target devices exposed to the internet or accessible from less secure network segments without needing credentials, increasing the attack surface. Additionally, the exploitation could facilitate large-scale botnet recruitment or distributed denial-of-service (DDoS) attacks originating from compromised routers. The absence of a patch at publication heightens the urgency for organizations to implement interim mitigations to protect their networks.

Given the absence of an official patch, European organizations should immediately implement network-level protections to mitigate this vulnerability. These include restricting access to the router's management interfaces (prog.cgi) by limiting exposure to trusted internal networks and blocking external HTTP requests targeting these endpoints via firewalls or intrusion prevention systems. Network segmentation should be enforced to isolate vulnerable routers from critical assets. Monitoring network traffic for unusual or malformed HTTP requests targeting the 'SetDMZSettings' functionality can help detect exploitation attempts. Organizations should disable remote management features on the affected routers if not strictly necessary. Where possible, replace vulnerable devices with updated models or firmware versions once available. Vendors and security teams should collaborate to expedite firmware patch development and deployment. Additionally, applying strict input validation and command execution safeguards in future firmware updates is essential to prevent similar vulnerabilities. Regular security audits and vulnerability assessments of network devices should be conducted to identify and remediate such risks proactively.