CVE-2025-60701 is a command injection vulnerability identified in the firmware of the D-Link DIR-882 router, specifically in the DIR882A1_FW102B02 version. The vulnerability exists in the prog.cgi and rc binaries, where the function sub_433188 in prog.cgi accepts user-supplied email configuration parameters such as EmailFrom, EmailTo, SMTPServerAddress, SMTPServerPort, and AccountName. These parameters are stored in non-volatile RAM (NVRAM) using the nvram_safe_set function. Later, the sub_448FDC function in the rc binary retrieves these parameters using nvram_safe_get and concatenates them into shell commands executed via the twsystem() function. Critically, these inputs are not sanitized before being used in shell commands, leading to a classic command injection scenario (CWE-77). An attacker can exploit this vulnerability remotely and without authentication by sending specially crafted HTTP requests to the router's web interface, injecting arbitrary commands that the router executes with system privileges. The vulnerability was published on November 13, 2025, and carries a CVSS v3.1 score of 6.5, reflecting medium severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality and integrity but not availability. No patches or known exploits are currently reported, but the potential for exploitation exists due to the lack of input sanitization and unauthenticated remote access.

The primary impact of CVE-2025-60701 on European organizations lies in the potential for unauthorized command execution on affected D-Link DIR-882 routers. This can lead to confidentiality breaches, such as interception or manipulation of network traffic, and integrity compromises, including unauthorized configuration changes or deployment of malicious payloads within the network. Although availability is not directly impacted, the attacker could leverage the router as a foothold for lateral movement or persistent access, increasing overall risk. European enterprises and service providers relying on these routers for network connectivity, especially in small to medium-sized businesses or branch offices, may face increased exposure. The unauthenticated nature of the exploit means attackers do not need credentials, heightening the threat level. Additionally, compromised routers could be used in botnets or as pivot points for further attacks against critical infrastructure or sensitive data. The medium CVSS score reflects these risks but also indicates that exploitation requires specific crafted requests and knowledge of the router’s interface.

1. Monitor D-Link’s official channels for firmware updates addressing this vulnerability and apply patches promptly once available. 2. Until patches are released, restrict access to the router’s web management interface by limiting it to trusted internal networks or via VPNs. 3. Disable remote management features on the router if not strictly necessary to reduce exposure. 4. Implement network segmentation to isolate routers from critical systems and sensitive data environments. 5. Employ intrusion detection and prevention systems (IDS/IPS) to monitor for unusual HTTP requests targeting the router’s web interface, focusing on patterns indicative of command injection attempts. 6. Regularly audit router configurations and logs for signs of unauthorized changes or suspicious activity. 7. Educate network administrators about the risks of unauthenticated remote access vulnerabilities and encourage adherence to the principle of least privilege. 8. Consider deploying network-level firewall rules to block unsolicited inbound traffic to router management ports from untrusted sources. 9. If feasible, replace affected hardware with models that have no known vulnerabilities or have received timely security updates.