CVE Catalog

CVE-2025-60675

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.32%

67th percentile - higher than 67% of all known CVEs

Summary

A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries. The vulnerability occurs because parsed fields from the /tmp/new_qos.rule configuration file are concatenated into command strings and executed via system() without any sanitization.

Risk Assessment

An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device, leading to full compromise of the router and potential network security breach.

Recommendation

Immediately update the router firmware to the latest available version or apply a workaround by restricting access to /tmp/new_qos.rule and monitoring its modifications.

Original NVD description (English source)

A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file. The vulnerability occurs because parsed fields from the configuration file are concatenated into command strings and executed via system() without any sanitization. An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS