CVE-2025-60701 is a critical command injection vulnerability found in the D-Link DIR-882 router firmware (DIR882A1_FW102B02). The issue exists within two binaries: prog.cgi and rc. The prog.cgi binary contains a function, sub_433188, which processes user-supplied email configuration parameters such as EmailFrom, EmailTo, SMTPServerAddress, SMTPServerPort, and AccountName. These parameters are stored in the router's non-volatile RAM (NVRAM) using the nvram_safe_set function. Later, the rc binary retrieves these parameters via nvram_safe_get in the sub_448FDC function and concatenates them directly into shell commands executed by twsystem(), a function that runs system commands. Because these inputs are not sanitized or validated, an attacker can craft malicious HTTP requests to inject arbitrary shell commands. Crucially, this attack vector requires no authentication, allowing remote attackers to gain command execution on the router. This can lead to full device compromise, enabling attackers to manipulate network traffic, intercept sensitive data, or pivot into internal networks. Although no CVSS score has been assigned yet, the vulnerability's characteristics indicate a high severity. There are no known exploits in the wild at the time of publication, and no patches have been released. The vulnerability was reserved in September 2025 and published in November 2025.

For European organizations, the impact of CVE-2025-60701 can be significant. The D-Link DIR-882 router is commonly used in small to medium business environments and home offices, making it a critical network edge device. Exploitation allows attackers to execute arbitrary commands remotely without authentication, potentially leading to full device takeover. This compromises the confidentiality of network traffic, as attackers can intercept or redirect data. Integrity is at risk because attackers can alter router configurations or inject malicious payloads into the network. Availability may be disrupted if attackers disable or crash the device. Such compromises can facilitate lateral movement into corporate networks, data exfiltration, or launching further attacks. Given the router's role in network perimeter defense, successful exploitation could undermine organizational cybersecurity postures. European entities relying on these routers for critical communications or remote access are particularly vulnerable, especially if remote management interfaces are exposed externally.

1. Immediately restrict access to the router's web management interface by disabling remote management features or limiting access to trusted IP addresses only. 2. Disable any unnecessary services, especially email configuration features if not in use. 3. Monitor network traffic for unusual HTTP requests targeting the router's web interface, focusing on suspicious parameter values. 4. Implement network segmentation to isolate routers from critical internal systems, reducing potential lateral movement. 5. Regularly audit router firmware versions and configurations to detect unauthorized changes. 6. Once available, promptly apply official firmware updates from D-Link that address this vulnerability. 7. For organizations unable to update immediately, consider replacing affected devices with models not vulnerable to this issue. 8. Employ intrusion detection systems (IDS) or web application firewalls (WAF) capable of detecting command injection attempts targeting router management interfaces.