CVE-2025-60672

CWE-77Command Injection4 documents4 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 59.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Dlink Dir-878 Firmware
Timeline
PublishedNov 13
Latest updateNov 20

Description

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
CVE-2025-60672: An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B042025-11-13
GHSA
GHSA-4h72-3qcj-43q9: An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B042025-11-13

🕵️Threat Intelligence

1
Bleepingcomputer
D-Link warns of new RCE flaws in end-of-life DIR-878 routers2025-11-20
CVE-2025-60672 (MEDIUM CVSS 6.5) | An unauthenticated command injectio | cvebase.io