CVE-2025-60854 is a critical command injection vulnerability identified in the D-Link R15 (AX1500) router firmware version 1.20.01 and earlier. The flaw exists in the web administration interface, specifically within the password change functionality. An attacker can manipulate the 'model name' parameter in the HTTP request to inject arbitrary commands into the underlying httpd process. This vulnerability is classified under CWE-77 (Improper Neutralization of Special Elements used in a Command), allowing remote code execution without requiring authentication or user interaction. The CVSS v3.1 base score of 9.8 reflects the vulnerability’s network attack vector, low complexity, no privileges required, and full impact on confidentiality, integrity, and availability. Successful exploitation could allow attackers to take full control of the router, intercept or modify network traffic, disrupt network services, or pivot into internal networks. No patches or official fixes are currently available, and no known exploits have been reported in the wild, but the vulnerability’s nature and severity make it a prime target for attackers once weaponized. The vulnerability’s presence in a widely deployed consumer and small business router model increases the potential attack surface significantly.

For European organizations, the exploitation of CVE-2025-60854 could have severe consequences. Compromise of the D-Link R15 routers would allow attackers to intercept sensitive communications, inject malicious traffic, or disrupt network availability, impacting business operations and data confidentiality. Small and medium enterprises relying on these routers for internet connectivity and network management are particularly vulnerable due to limited IT security resources. Critical infrastructure sectors using these devices could face operational disruptions or be leveraged as entry points for broader network intrusions. The lack of authentication requirement and ease of exploitation increase the risk of widespread attacks. Additionally, compromised routers could be used in botnets or for launching further attacks within European networks, amplifying the threat landscape. The absence of patches heightens urgency for interim protective measures.

Immediate mitigation should focus on network-level controls and monitoring. Organizations should isolate affected D-Link R15 routers from critical network segments and restrict administrative access to trusted IP addresses only. Implement network segmentation to limit potential lateral movement if a device is compromised. Deploy intrusion detection systems (IDS) and monitor for unusual HTTP requests targeting the password change endpoint or anomalous command execution patterns. Disable remote management features if enabled. Regularly audit router configurations and logs for signs of exploitation attempts. Since no official patches are currently available, consider replacing vulnerable devices with updated hardware or firmware versions from trusted vendors. Engage with D-Link support channels to obtain information on forthcoming patches. Educate users and administrators about the risks and signs of compromise related to this vulnerability.