CVE-2025-60672 Overview
CVE-2025-60672 is an unauthenticated command injection vulnerability in the D-Link DIR-878A1 router running firmware FW101B04.bin. The flaw resides in the SetDynamicDNSSettings handler exposed through prog.cgi. The ServerAddress and Hostname parameters are written to NVRAM without sanitization, then later read by the rc binary to build system commands executed through twsystem(). A remote attacker can send a crafted HTTP request to trigger arbitrary command execution on the device. The issue is tracked under CWE-77: Command Injection.
Critical Impact
Remote attackers can execute arbitrary operating system commands on affected D-Link DIR-878 routers without authentication, enabling full device takeover.
Affected Products
- D-Link DIR-878 hardware revision A1
- D-Link DIR-878 firmware version 1.01B04 (FW101B04.bin)
- Routers exposing the prog.cgi Dynamic DNS configuration endpoint
Discovery Timeline
- 2025-11-13 - CVE-2025-60672 published to the National Vulnerability Database (NVD)
- 2026-07-05 - Last updated in NVD database
Technical Details for CVE-2025-60672
Vulnerability Analysis
The vulnerability exists in the Dynamic DNS configuration path of the DIR-878A1 web management interface. When a client submits a SetDynamicDNSSettings request to prog.cgi, the router persists the supplied ServerAddress and Hostname values directly to NVRAM. The rc service subsequently reads those NVRAM entries and concatenates them into shell command strings that are passed to the internal twsystem() wrapper. Because the values are not validated or escaped at either the storage or execution stage, an attacker who injects shell metacharacters into either parameter can break out of the intended command context.
The request handler does not require authentication, which exposes the sink to any network-adjacent attacker who can reach the router's HTTP interface. On residential deployments where remote management is enabled, exploitation can occur directly from the internet.
Root Cause
The root cause is unsanitized use of user-controlled input in a command construction routine. Parameters flow from the HTTP request through prog.cgi into NVRAM and finally into twsystem(), which invokes a shell interpreter. No allowlist, escaping, or argument-vector execution model is applied along the data path, allowing metacharacters such as ;, |, &, and backticks to be interpreted as command separators.
Attack Vector
Exploitation requires only network access to the router's web interface. An attacker crafts an HTTP request targeting the SetDynamicDNSSettings action and embeds shell payloads inside the ServerAddress or Hostname fields. Once the settings are committed, rc executes the injected commands with the privileges of the router's management process, typically root. Persistence is trivial because the malicious values remain in NVRAM across reboots until overwritten. Refer to the public technical write-up for parameter-level details.
Detection Methods for CVE-2025-60672
Indicators of Compromise
- HTTP POST requests to prog.cgi containing SetDynamicDNSSettings with shell metacharacters in ServerAddress or Hostname
- Unexpected outbound connections initiated by the router to attacker-controlled infrastructure
- Modified NVRAM Dynamic DNS entries containing characters such as ;, |, &, $(, or backticks
- New or unfamiliar processes spawned by the rc binary on the device
Detection Strategies
- Inspect network captures for HTTP requests to the router's management interface that include DDNS parameters with non-hostname characters
- Correlate router configuration changes with subsequent anomalous DNS or outbound traffic patterns
- Baseline expected DDNS provider hostnames and alert on deviations
Monitoring Recommendations
- Log and review all administrative HTTP requests to consumer routers at the network edge
- Monitor for scanning activity targeting D-Link prog.cgi endpoints across the environment
- Alert on router-originated traffic to non-standard destinations, particularly over ports commonly used for reverse shells
How to Mitigate CVE-2025-60672
Immediate Actions Required
- Disable remote (WAN-side) web management on affected DIR-878 devices
- Disable the Dynamic DNS feature until a vendor patch is available
- Restrict LAN-side access to the management interface to trusted administrative hosts
- Replace end-of-life D-Link DIR-878 units with a currently supported model if no firmware fix is released
Patch Information
At the time of publication, no fixed firmware version is referenced in the NVD entry. Monitor the D-Link Security Bulletin for updates specific to the DIR-878A1 platform, and apply firmware updates as soon as they are released.
Workarounds
- Block inbound HTTP and HTTPS traffic to the router's WAN interface using upstream ACLs
- Segment the router's management VLAN from user and IoT networks
- Filter HTTP requests containing shell metacharacters in DDNS-related parameters at an inline security appliance
# Example: block WAN-side access to the router management interface
iptables -I INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -I INPUT -i wan0 -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

