CVE-2025-60673
MediumCVSS 6.5Exploitation Probability (EPSS)
High risk88th percentile - higher than 88% of all known CVEs
Summary
An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDMZSettings' functionality, where the 'IPAddress' parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.
Risk Assessment
The risk for the organization includes full compromise of the router, potentially allowing the attacker to intercept network traffic, modify configurations, or use the device as an entry point into the internal network.
Recommendation
Immediately update the D-Link DIR-878A1 router firmware to the latest version if a patch is available. If no update is available, disable the DMZ feature or restrict access to the management interface to trusted IP addresses only.
Original NVD description (English source)
An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDMZSettings' functionality, where the 'IPAddress' parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.

