CVE-2025-60697 is a command injection vulnerability identified in the D-Link DIR-882 router firmware version DIR882A1_FW102B02. The vulnerability exists in the handling of Dynamic DNS (DDNS) parameters within the router's web interface binaries, specifically prog.cgi and rc. The function sub_4438A4 in prog.cgi accepts user-supplied DDNS parameters such as ServerAddress and Hostname, which are stored in the router's non-volatile RAM (NVRAM) using the nvram_safe_set function. Later, these parameters are retrieved by the start_DDNS_ipv4 function in the rc binary via nvram_safe_get and concatenated into shell commands executed through the twsystem() function. Although a partial string comparison is performed to validate inputs, this check is insufficient to prevent command injection. As a result, an unauthenticated remote attacker can send specially crafted HTTP requests to the router's web interface to inject arbitrary shell commands. This leads to remote code execution on the device without requiring authentication or user interaction. The vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), and the CVSS v3.1 base score is 7.3, reflecting high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact includes potential compromise of device confidentiality, integrity, and availability, enabling attackers to control the router, intercept or manipulate network traffic, or disrupt network services. No patches or firmware updates are currently linked, and no known exploits have been reported in the wild as of the publication date (November 13, 2025).

For European organizations, this vulnerability poses a significant risk to network infrastructure security. Compromise of the D-Link DIR-882 routers could allow attackers to execute arbitrary commands, potentially leading to full device takeover. This can result in interception or manipulation of sensitive data traversing the network, disruption of internet connectivity, or use of compromised routers as pivot points for further attacks within corporate networks. The lack of authentication requirement increases the attack surface, allowing remote exploitation from anywhere with network access to the device's web interface. Organizations relying on these routers for critical connectivity or remote access services may face operational disruptions and data breaches. Additionally, compromised routers could be enlisted in botnets or used to launch attacks against other targets, amplifying the threat. The impact on confidentiality, integrity, and availability is high, necessitating urgent attention from affected entities.

1. Immediate mitigation involves isolating affected D-Link DIR-882 routers from untrusted networks or restricting access to the router's web interface to trusted management networks only. 2. Implement network-level filtering to block HTTP requests containing suspicious DDNS parameter patterns or unexpected shell metacharacters. 3. Monitor router logs and network traffic for unusual activity indicative of exploitation attempts. 4. Engage with D-Link support or official channels to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 5. If firmware updates are unavailable, consider replacing affected routers with models not susceptible to this vulnerability. 6. Employ network segmentation to limit the impact of a compromised router on the broader organizational network. 7. Regularly audit and update router configurations, disabling unnecessary services such as DDNS if not required. 8. Educate network administrators on the risks of command injection vulnerabilities and the importance of secure router management practices.