Details of VAR-202511-1190

ID

VAR-202511-1190

CVE

CVE-2025-60675

TITLE

D-Link Corporation of DIR-823G Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-019458

DESCRIPTION

A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file. The vulnerability occurs because parsed fields from the configuration file are concatenated into command strings and executed via system() without any sanitization. An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device. D-Link Corporation of DIR-823G Firmware contains a command injection vulnerability.Information may be obtained and information may be tampered with

Trust: 1.62

sources: NVD: CVE-2025-60675 // JVNDB: JVNDB-2025-019458

AFFECTED PRODUCTS

vendor:	dlink	model:	dir-823g	scope:	eq	version:	1.0.2b05_20181207	Trust: 1.0
vendor:	d link	model:	dir-823g	scope:	eq	version:	-	Trust: 0.8
vendor:	d link	model:	dir-823g	scope:	-	version:	-	Trust: 0.8
vendor:	d link	model:	dir-823g	scope:	eq	version:	dir-823g firmware 1.0.2b05 20181207	Trust: 0.8

sources: JVNDB: JVNDB-2025-019458 // NVD: CVE-2025-60675

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60675
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-019458
value:	MEDIUM
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60675
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-019458
baseSeverity:	MEDIUM
baseScore:	5.4
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-019458 // NVD: CVE-2025-60675

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-019458 // NVD: CVE-2025-60675

EXTERNAL IDS

db:	NVD	id:	CVE-2025-60675	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-019458	Trust: 0.8

sources: JVNDB: JVNDB-2025-019458 // NVD: CVE-2025-60675

REFERENCES

url:	http://d-link.com	Trust: 1.8
url:	https://github.com/yifan20020708/sgtaint-0-day/blob/main/dlink/dlink-dir-823g/cve-2025-60675.md	Trust: 1.8
url:	https://www.dlink.com/en	Trust: 1.8
url:	https://www.dlink.com/en/security-bulletin/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-60675	Trust: 0.8

sources: JVNDB: JVNDB-2025-019458 // NVD: CVE-2025-60675

SOURCES

db:	JVNDB	id:	JVNDB-2025-019458
db:	NVD	id:	CVE-2025-60675

LAST UPDATE DATE

2025-11-22T23:30:25.287000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-019458	date:	2025-11-19T07:35:00
db:	NVD	id:	CVE-2025-60675	date:	2025-11-17T19:04:49.447

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-019458	date:	2025-11-19T00:00:00
db:	NVD	id:	CVE-2025-60675	date:	2025-11-13T19:15:48.420