CVE Catalog

CVE-2025-60672

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

High risk
3.55%

88th percentile - higher than 88% of all known CVEs

Summary

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The issue is in the 'SetDynamicDNSSettings' functionality, where 'ServerAddress' and 'Hostname' parameters are stored in NVRAM and later used to construct system commands executed via twsystem(). An attacker can exploit this remotely without authentication by sending a crafted HTTP request, leading to arbitrary command execution on the device.

Risk Assessment

The risk for the organization includes full remote compromise of the router by an unauthenticated attacker, potentially allowing network traffic interception, configuration changes, or using the device as an entry point into the internal network.

Recommendation

It is recommended to immediately update the D-Link DIR-878A1 router firmware to the latest available version if a patch is released. If no update is available, restrict access to the router's management interface to trusted networks only or disable remote access.

Original NVD description (English source)

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS