CVE-2025-60700 is a command injection vulnerability found in the D-Link DIR-882 router firmware (DIR882A1_FW102B02), affecting the prog.cgi and librcm.so binaries. The root cause lies in the handling of the DMZ IP address setting via the router's web interface. Specifically, the sub_4455BC function in prog.cgi accepts user-supplied SetDMZSettings/IPAddress values and stores them in NVRAM using nvram_safe_set("dmz_ipaddr", ...). Later, the DMZ_run function in librcm.so retrieves this value with nvram_safe_get and concatenates it directly into iptables shell commands executed through twsystem(), a function that runs system commands. Because the input is not sanitized or validated, an attacker can inject arbitrary shell commands within the IP address parameter. The vulnerability is exploitable remotely without authentication by sending crafted HTTP requests to the router's web interface, allowing execution of arbitrary commands with root privileges. This can lead to full device compromise, enabling attackers to manipulate network traffic, install persistent malware, or pivot into internal networks. No CVSS score is assigned yet, but the vulnerability is severe due to its unauthenticated remote exploitability and potential for complete device takeover. No known exploits are currently reported in the wild, but the risk is high given the nature of the flaw. The affected firmware version is DIR882A1_FW102B02, and no patch links are currently available, indicating that vendors and users should monitor for updates and apply them promptly once released.

For European organizations, this vulnerability poses a significant risk to network security and operational continuity. The D-Link DIR-882 router is commonly used in small to medium enterprises and home office environments, which may serve as entry points into corporate networks. Exploitation can lead to unauthorized access, interception or manipulation of network traffic, and installation of persistent malware or backdoors. This could result in data breaches, disruption of business services, and lateral movement within internal networks. The unauthenticated nature of the exploit means attackers can compromise devices without prior access, increasing the likelihood of widespread attacks. Given the critical role of routers in network infrastructure, successful exploitation could undermine confidentiality, integrity, and availability of organizational data and services. Additionally, compromised routers could be leveraged in botnets or for launching further attacks against European targets. The lack of current patches and the potential for remote exploitation elevate the urgency for affected organizations to implement mitigations.

1. Immediately disable remote management and remote access features on all D-Link DIR-882 routers to reduce exposure to unauthenticated external attacks. 2. Restrict access to the router's web interface to trusted internal networks only, using firewall rules or network segmentation. 3. Monitor network traffic for unusual activity indicative of command injection or unauthorized access attempts targeting the router. 4. Regularly audit router configurations and logs to detect suspicious changes or commands executed on the device. 5. Apply firmware updates from D-Link as soon as they become available; coordinate with vendors or support channels to obtain patches addressing CVE-2025-60700. 6. Consider replacing affected routers with models that have verified secure firmware if patches are delayed. 7. Employ network intrusion detection/prevention systems (IDS/IPS) with signatures targeting exploitation attempts against this vulnerability. 8. Educate IT staff on the risks of router vulnerabilities and the importance of timely patching and secure configuration. 9. Implement network segmentation to limit the impact of compromised devices on critical infrastructure. 10. Use strong, unique administrative passwords and disable unnecessary services on routers to reduce attack surface.