Details of VAR-202511-0385

ID

VAR-202511-0385

CVE

CVE-2025-60672

TITLE

D-Link Corporation of DIR-878 Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-019495

DESCRIPTION

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device

Trust: 1.62

sources: NVD: CVE-2025-60672 // JVNDB: JVNDB-2025-019495

AFFECTED PRODUCTS

vendor:	dlink	model:	dir-878	scope:	eq	version:	1.01b04	Trust: 1.0
vendor:	d link	model:	dir-878	scope:	eq	version:	-	Trust: 0.8
vendor:	d link	model:	dir-878	scope:	-	version:	-	Trust: 0.8
vendor:	d link	model:	dir-878	scope:	eq	version:	dir-878 firmware 1.01b04	Trust: 0.8

sources: JVNDB: JVNDB-2025-019495 // NVD: CVE-2025-60672

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60672
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-019495
value:	MEDIUM
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60672
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-019495
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-019495 // NVD: CVE-2025-60672

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-019495 // NVD: CVE-2025-60672

EXTERNAL IDS

db:	NVD	id:	CVE-2025-60672	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-019495	Trust: 0.8

sources: JVNDB: JVNDB-2025-019495 // NVD: CVE-2025-60672

REFERENCES

url:	http://d-link.com	Trust: 1.8
url:	https://github.com/yifan20020708/sgtaint-0-day/blob/main/dlink/dlink-dir-878/cve-2025-60672.md	Trust: 1.8
url:	https://www.dlink.com/en	Trust: 1.8
url:	https://www.dlink.com/en/security-bulletin/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-60672	Trust: 0.8

sources: JVNDB: JVNDB-2025-019495 // NVD: CVE-2025-60672

SOURCES

db:	JVNDB	id:	JVNDB-2025-019495
db:	NVD	id:	CVE-2025-60672

LAST UPDATE DATE

2025-11-22T23:39:14.318000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-019495	date:	2025-11-20T03:22:00
db:	NVD	id:	CVE-2025-60672	date:	2025-11-17T19:04:14.260

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-019495	date:	2025-11-20T00:00:00
db:	NVD	id:	CVE-2025-60672	date:	2025-11-13T19:15:48.040