CVE-2025-60675
MediumCVSS 5.4Exploitation Probability (EPSS)
Elevated risk67th percentile - higher than 67% of all known CVEs
Summary
A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries. The vulnerability occurs because parsed fields from the /tmp/new_qos.rule configuration file are concatenated into command strings and executed via system() without any sanitization.
Risk Assessment
An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device, leading to full compromise of the router and potential network security breach.
Recommendation
Immediately update the router firmware to the latest available version or apply a workaround by restricting access to /tmp/new_qos.rule and monitoring its modifications.
Original NVD description (English source)
A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file. The vulnerability occurs because parsed fields from the configuration file are concatenated into command strings and executed via system() without any sanitization. An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device.

