CVE-2025-60673 is a command injection vulnerability identified in the D-Link DIR-878A1 router firmware version FW101B04.bin. The vulnerability exists in the 'SetDMZSettings' functionality exposed via the prog.cgi interface. Specifically, the 'IPAddress' parameter is accepted from HTTP requests and stored directly into the router's NVRAM without proper input validation or sanitization. Subsequently, the stored IP address is used by the shared library librcm.so to construct iptables firewall commands, which are executed through the twsystem() function. Because twsystem() executes shell commands, an attacker can inject arbitrary shell commands by manipulating the 'IPAddress' parameter. This flaw is exploitable remotely without any authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), indicating command injection. Although no public exploits are currently known, the medium CVSS score of 6.5 reflects the potential for partial confidentiality and integrity impact without affecting availability. Successful exploitation could allow attackers to alter firewall rules, execute arbitrary commands, or pivot within the network, compromising device and network security. The lack of available patches at the time of publication increases the urgency for mitigation.

For European organizations, this vulnerability poses a significant risk to network security, especially for those relying on the D-Link DIR-878A1 router in their infrastructure. Exploitation could lead to unauthorized command execution, allowing attackers to manipulate firewall settings, bypass security controls, or deploy malware within the network. This could result in data leakage, unauthorized access to internal resources, or disruption of network operations. Given the unauthenticated nature of the exploit, attackers can remotely compromise devices without prior access, increasing the attack surface. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) could face regulatory and reputational damage if exploited. Additionally, compromised routers could be leveraged as footholds for broader attacks or as part of botnets targeting other critical infrastructure. The medium severity suggests that while availability impact is low, confidentiality and integrity risks are non-trivial and warrant prompt attention.

1. Immediate mitigation should include restricting remote management interfaces to trusted networks only, disabling WAN-side access to the router's web interface if possible. 2. Network administrators should implement strict input validation and filtering at network boundaries to detect and block suspicious HTTP requests targeting prog.cgi or similar endpoints. 3. Employ network segmentation to isolate vulnerable devices from critical assets, limiting potential lateral movement. 4. Monitor router logs and network traffic for unusual patterns indicative of command injection attempts or unauthorized configuration changes. 5. If vendor patches become available, prioritize timely firmware updates to address the vulnerability. 6. As a temporary workaround, consider disabling the 'SetDMZSettings' functionality if feasible or replacing affected devices with models not susceptible to this flaw. 7. Conduct regular vulnerability scans to identify exposed devices and remediate accordingly. 8. Educate IT staff on recognizing signs of exploitation and maintaining secure router configurations.