CVE-2025-60700 identifies a command injection vulnerability in the D-Link DIR-882 router firmware version DIR882A1_FW102B02. The flaw exists in the prog.cgi and librcm.so binaries, where the function sub_4455BC in prog.cgi accepts user-supplied input for the SetDMZSettings/IPAddress parameter and stores it unsanitized in NVRAM under the key "dmz_ipaddr" using nvram_safe_set. Later, the DMZ_run function in librcm.so retrieves this value via nvram_safe_get and concatenates it directly into iptables shell commands executed through twsystem(), a function that runs system commands. Because the input is not sanitized or validated, an attacker can craft HTTP requests to the router’s web interface that inject arbitrary shell commands, leading to remote code execution. Notably, this attack vector requires no authentication and no user interaction, increasing its risk. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and partial confidentiality and integrity impact but no availability impact. No patches or official fixes have been released at the time of publication, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-77 (Improper Neutralization of Special Elements used in a Command).

For European organizations, this vulnerability poses a significant risk to network security and device integrity. Exploitation allows unauthenticated attackers to execute arbitrary commands on affected routers, potentially leading to unauthorized access, network traffic manipulation, or pivoting to internal networks. This can compromise confidentiality and integrity of data passing through the device. Although availability impact is not directly indicated, attackers could disrupt firewall rules or network configurations, indirectly affecting service continuity. Organizations relying on D-Link DIR-882 routers, especially in critical infrastructure, SMBs, and home office environments, could face increased risk of intrusion and lateral movement. The lack of authentication requirement lowers the barrier for exploitation, making widespread automated attacks feasible once exploit code becomes available. Additionally, compromised routers could be enlisted in botnets or used to intercept sensitive communications, amplifying the threat to European entities.

1. Immediately restrict access to the router’s web management interface by limiting it to trusted internal networks and disabling remote management if enabled. 2. Implement network segmentation to isolate vulnerable devices from critical systems and sensitive data. 3. Monitor network traffic for unusual outbound connections or command injection indicators, using IDS/IPS solutions tuned for router anomalies. 4. Regularly audit router configurations and logs for unauthorized changes or suspicious activity related to DMZ settings. 5. Apply firmware updates from D-Link as soon as a patch addressing CVE-2025-60700 is released. 6. Where possible, replace affected devices with models not susceptible to this vulnerability or with more robust security controls. 7. Educate network administrators on the risks of unauthenticated web interface vulnerabilities and enforce strong access controls. 8. Employ network-level firewall rules to restrict unexpected traffic to and from the router management interface.