CVE-2025-60675 is a command injection vulnerability identified in the D-Link DIR-823G router firmware version DIR823G_V1.0.2B05_20181207.bin. The flaw exists in the timelycheck and sysconf binaries, which handle the /tmp/new_qos.rule configuration file. These binaries parse fields from this file and directly concatenate them into command strings executed via the system() function call without any input sanitization or validation. This unsafe coding practice corresponds to CWE-77 (Improper Neutralization of Special Elements used in a Command). An attacker who can write to /tmp/new_qos.rule can inject arbitrary shell commands, leading to command execution with the privileges of the affected binaries. The vulnerability requires the attacker to have local write access to the /tmp directory on the device, which typically implies some level of authenticated access or prior compromise. The CVSS v3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, required privileges (PR:L), no user interaction, and limited impact on confidentiality and integrity but no impact on availability. No patches or known exploits are currently available, but the vulnerability poses a risk of unauthorized command execution, potentially allowing attackers to manipulate router configurations, intercept or redirect traffic, or establish persistent footholds.

For European organizations, this vulnerability could lead to unauthorized command execution on affected D-Link DIR-823G routers, compromising the confidentiality and integrity of network traffic and configurations. Attackers with local access could manipulate QoS rules or other router settings, potentially enabling traffic interception, data exfiltration, or lateral movement within internal networks. Although availability is not directly impacted, the integrity breach could disrupt normal network operations or facilitate further attacks. Organizations with less stringent physical or administrative controls over network devices are at higher risk. The medium severity score suggests moderate risk, but the impact could escalate if combined with other vulnerabilities or if attackers gain initial access through weak credentials or other means. Given the widespread use of D-Link routers in small and medium enterprises and home offices across Europe, this vulnerability could affect a broad user base, especially in sectors with less mature network security practices.

To mitigate this vulnerability, European organizations should immediately restrict write permissions to the /tmp/new_qos.rule file and the /tmp directory on affected devices, ensuring only trusted system processes can modify these files. Network segmentation and strict access controls should limit who can access router management interfaces and underlying file systems. Monitoring and alerting for unauthorized changes to configuration files in /tmp can help detect exploitation attempts. Organizations should enforce strong authentication mechanisms on routers to prevent unauthorized local access. Until an official firmware patch is released, consider isolating affected routers from critical network segments or replacing them with devices from vendors with timely security updates. Additionally, conducting regular firmware audits and vulnerability assessments on network devices will help identify and remediate similar risks proactively.