CVE-2025-60675 is a command injection vulnerability found in the firmware of the D-Link DIR-823G router, specifically in version DIR823G_V1.0.2B05_20181207.bin. The vulnerability exists in the timelycheck and sysconf binaries, which handle the /tmp/new_qos.rule configuration file. These binaries parse fields from this file and concatenate them directly into command strings executed via the system() call without any input sanitization or validation. This unsafe practice allows an attacker who can write to /tmp/new_qos.rule to inject arbitrary shell commands, leading to command execution with the privileges of the affected binaries. The root cause is the lack of input sanitization on user-controlled configuration data, a classic injection flaw. Exploiting this vulnerability requires the attacker to have write access to the /tmp/new_qos.rule file, which may be achievable through other vulnerabilities, weak permissions, or local access. There is no CVSS score assigned yet, and no known public exploits have been reported. The impact of successful exploitation includes full compromise of the router, enabling attackers to manipulate network traffic, intercept data, or pivot into internal networks. The vulnerability highlights the risks of insecure firmware design and the importance of sanitizing all inputs, especially those used in system command execution contexts.

For European organizations, this vulnerability poses a significant risk if they deploy the affected D-Link DIR-823G routers, especially in environments where network perimeter security relies on these devices. Successful exploitation could allow attackers to gain persistent control over the router, enabling interception or manipulation of sensitive communications, disruption of network availability, or use of the device as a foothold for further attacks within the corporate network. This could lead to data breaches, loss of service, and compromise of internal systems. Given the router’s role in home and small office networks, the impact could extend to remote workers or branch offices, increasing the attack surface. Additionally, compromised routers could be leveraged in botnets or for launching attacks against other targets, amplifying the threat. The lack of authentication requirement for command execution (once write access to the file is obtained) increases the severity. The impact is particularly critical for sectors with strict data protection regulations such as finance, healthcare, and government institutions in Europe.

To mitigate this vulnerability, affected organizations should first identify if they use the D-Link DIR-823G router with the vulnerable firmware version DIR823G_V1.0.2B05_20181207.bin. Immediate steps include restricting write permissions to the /tmp directory and specifically to the /tmp/new_qos.rule file to prevent unauthorized modification. Network segmentation should be enforced to limit access to router management interfaces and temporary file systems. Monitoring and alerting for unusual file writes or command executions on the router can help detect exploitation attempts. Since no official patch is currently available, organizations should consider upgrading to a newer firmware version if released or replacing the device with a more secure model. Additionally, applying strict access controls, disabling unnecessary services, and enforcing strong authentication mechanisms for router management interfaces will reduce the risk of initial access. Regular firmware integrity checks and network traffic monitoring for anomalies are recommended. Vendors should be engaged to provide a timely patch and security advisory.