Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-60672

CVE-2025-60672: D-Link DIR-878 Firmware RCE Vulnerability

CVE-2025-60672 is an unauthenticated command injection flaw in D-Link DIR-878A1 router firmware that allows remote attackers to execute arbitrary commands. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-60672 Overview

CVE-2025-60672 is an unauthenticated command injection vulnerability in the D-Link DIR-878A1 router running firmware FW101B04.bin. The flaw resides in the SetDynamicDNSSettings handler exposed through prog.cgi. The ServerAddress and Hostname parameters are written to NVRAM without sanitization, then later read by the rc binary to build system commands executed through twsystem(). A remote attacker can send a crafted HTTP request to trigger arbitrary command execution on the device. The issue is tracked under CWE-77: Command Injection.

Critical Impact

Remote attackers can execute arbitrary operating system commands on affected D-Link DIR-878 routers without authentication, enabling full device takeover.

Affected Products

  • D-Link DIR-878 hardware revision A1
  • D-Link DIR-878 firmware version 1.01B04 (FW101B04.bin)
  • Routers exposing the prog.cgi Dynamic DNS configuration endpoint

Discovery Timeline

  • 2025-11-13 - CVE-2025-60672 published to the National Vulnerability Database (NVD)
  • 2026-07-05 - Last updated in NVD database

Technical Details for CVE-2025-60672

Vulnerability Analysis

The vulnerability exists in the Dynamic DNS configuration path of the DIR-878A1 web management interface. When a client submits a SetDynamicDNSSettings request to prog.cgi, the router persists the supplied ServerAddress and Hostname values directly to NVRAM. The rc service subsequently reads those NVRAM entries and concatenates them into shell command strings that are passed to the internal twsystem() wrapper. Because the values are not validated or escaped at either the storage or execution stage, an attacker who injects shell metacharacters into either parameter can break out of the intended command context.

The request handler does not require authentication, which exposes the sink to any network-adjacent attacker who can reach the router's HTTP interface. On residential deployments where remote management is enabled, exploitation can occur directly from the internet.

Root Cause

The root cause is unsanitized use of user-controlled input in a command construction routine. Parameters flow from the HTTP request through prog.cgi into NVRAM and finally into twsystem(), which invokes a shell interpreter. No allowlist, escaping, or argument-vector execution model is applied along the data path, allowing metacharacters such as ;, |, &, and backticks to be interpreted as command separators.

Attack Vector

Exploitation requires only network access to the router's web interface. An attacker crafts an HTTP request targeting the SetDynamicDNSSettings action and embeds shell payloads inside the ServerAddress or Hostname fields. Once the settings are committed, rc executes the injected commands with the privileges of the router's management process, typically root. Persistence is trivial because the malicious values remain in NVRAM across reboots until overwritten. Refer to the public technical write-up for parameter-level details.

Detection Methods for CVE-2025-60672

Indicators of Compromise

  • HTTP POST requests to prog.cgi containing SetDynamicDNSSettings with shell metacharacters in ServerAddress or Hostname
  • Unexpected outbound connections initiated by the router to attacker-controlled infrastructure
  • Modified NVRAM Dynamic DNS entries containing characters such as ;, |, &, $(, or backticks
  • New or unfamiliar processes spawned by the rc binary on the device

Detection Strategies

  • Inspect network captures for HTTP requests to the router's management interface that include DDNS parameters with non-hostname characters
  • Correlate router configuration changes with subsequent anomalous DNS or outbound traffic patterns
  • Baseline expected DDNS provider hostnames and alert on deviations

Monitoring Recommendations

  • Log and review all administrative HTTP requests to consumer routers at the network edge
  • Monitor for scanning activity targeting D-Link prog.cgi endpoints across the environment
  • Alert on router-originated traffic to non-standard destinations, particularly over ports commonly used for reverse shells

How to Mitigate CVE-2025-60672

Immediate Actions Required

  • Disable remote (WAN-side) web management on affected DIR-878 devices
  • Disable the Dynamic DNS feature until a vendor patch is available
  • Restrict LAN-side access to the management interface to trusted administrative hosts
  • Replace end-of-life D-Link DIR-878 units with a currently supported model if no firmware fix is released

Patch Information

At the time of publication, no fixed firmware version is referenced in the NVD entry. Monitor the D-Link Security Bulletin for updates specific to the DIR-878A1 platform, and apply firmware updates as soon as they are released.

Workarounds

  • Block inbound HTTP and HTTPS traffic to the router's WAN interface using upstream ACLs
  • Segment the router's management VLAN from user and IoT networks
  • Filter HTTP requests containing shell metacharacters in DDNS-related parameters at an inline security appliance
bash
# Example: block WAN-side access to the router management interface
iptables -I INPUT -i wan0 -p tcp --dport 80 -j DROP
iptables -I INPUT -i wan0 -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.