CVE-2025-60672

Published: Nov 13, 2025Modified: Nov 17, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.

Affected (1)

Products: Dlink: Dir 878 Firmware

1 product

Dir 878 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Dlink Dir 878 Firmware	Version 1.01b04

Running on/with	Platform Versions
Dlink Dir 878	Version a1

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (4)

http://d-link.com

Source: cve@mitre.org

Product

https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60672.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.dlink.com/en

Source: cve@mitre.org

Product

https://www.dlink.com/en/security-bulletin/

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.