CVE-2025-60698 is a critical command injection vulnerability found in the D-Link DIR-882 router firmware version DIR882A1_FW102B02. The vulnerability resides in the prog.cgi and rc binaries, where the function sub_432F60 in prog.cgi accepts user-supplied values for SetSysLogSettings/IPAddress and stores them in NVRAM using nvram_safe_set without proper sanitization. Later, the sub_448DCC function in the rc binary retrieves these values via nvram_safe_get and concatenates them directly into a shell command executed through twsystem(), a function that runs system commands. Because the input is not sanitized or validated, an attacker can inject arbitrary shell commands by crafting malicious HTTP requests targeting the router's web interface. The attack vector is remote and unauthenticated, meaning no credentials or user interaction are necessary to exploit the vulnerability. This allows an attacker to execute arbitrary commands with the privileges of the router's system user, potentially leading to full device compromise, network traffic interception, or pivoting to internal networks. The firmware version affected is DIR882A1_FW102B02, but no other versions are specified. Although no public exploits have been reported yet, the nature of the vulnerability and lack of authentication requirements make it highly exploitable once weaponized. The vulnerability was published on November 13, 2025, and no CVSS score has been assigned yet.

For European organizations, this vulnerability poses a significant risk, especially for small and medium enterprises and residential users relying on D-Link DIR-882 routers for internet connectivity. Successful exploitation can lead to complete compromise of the router, allowing attackers to intercept, modify, or redirect network traffic, potentially exposing sensitive data and credentials. Attackers could also use the compromised router as a foothold to launch further attacks within the internal network, including lateral movement to critical systems. The lack of authentication and remote exploitability increases the likelihood of automated attacks and worm-like propagation. Disruption of network availability is also possible if attackers execute destructive commands. Given the widespread use of D-Link routers in Europe, the impact could be substantial, affecting confidentiality, integrity, and availability of organizational networks and home users alike.

1. Immediately disable remote management and remote access features on affected D-Link DIR-882 routers to reduce exposure to external attackers. 2. Restrict access to the router's web interface to trusted internal IP addresses only, using firewall rules or router access control lists. 3. Monitor network traffic for unusual or suspicious HTTP requests targeting router management interfaces. 4. Segment critical internal networks from the router's management interface to limit potential lateral movement. 5. Regularly check for and apply official firmware updates from D-Link addressing this vulnerability as soon as they are released. 6. If firmware updates are not yet available, consider replacing affected routers with models from vendors with timely security patching. 7. Educate users and administrators about the risks of exposing router management interfaces to the internet and enforce strong network security policies. 8. Employ network intrusion detection systems (NIDS) to detect exploitation attempts targeting this vulnerability.