Details of VAR-202511-1325

ID

VAR-202511-1325

CVE

CVE-2025-60673

TITLE

D-Link Corporation of DIR-878 Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2025-019494

DESCRIPTION

An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDMZSettings' functionality, where the 'IPAddress' parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device

Trust: 1.62

sources: NVD: CVE-2025-60673 // JVNDB: JVNDB-2025-019494

AFFECTED PRODUCTS

vendor:	dlink	model:	dir-878	scope:	eq	version:	1.01b04	Trust: 1.0
vendor:	d link	model:	dir-878	scope:	eq	version:	-	Trust: 0.8
vendor:	d link	model:	dir-878	scope:	-	version:	-	Trust: 0.8
vendor:	d link	model:	dir-878	scope:	eq	version:	dir-878 firmware 1.01b04	Trust: 0.8

sources: JVNDB: JVNDB-2025-019494 // NVD: CVE-2025-60673

CVSS

SEVERITY

CVSSV2

CVSSV3

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60673
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2025-019494
value:	MEDIUM
Trust: 0.8

134c704f-9b21-4f2e-91b3-4a467353bcc0:	CVE-2025-60673
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.5
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2025-019494
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-019494 // NVD: CVE-2025-60673

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-019494 // NVD: CVE-2025-60673

EXTERNAL IDS

db:	NVD	id:	CVE-2025-60673	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-019494	Trust: 0.8

sources: JVNDB: JVNDB-2025-019494 // NVD: CVE-2025-60673

REFERENCES

url:	http://d-link.com	Trust: 1.8
url:	https://github.com/yifan20020708/sgtaint-0-day/blob/main/dlink/dlink-dir-878/cve-2025-60673.md	Trust: 1.8
url:	https://www.dlink.com/en	Trust: 1.8
url:	https://www.dlink.com/en/security-bulletin/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2025-60673	Trust: 0.8

sources: JVNDB: JVNDB-2025-019494 // NVD: CVE-2025-60673

SOURCES

db:	JVNDB	id:	JVNDB-2025-019494
db:	NVD	id:	CVE-2025-60673

LAST UPDATE DATE

2025-11-22T23:26:36.564000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-019494	date:	2025-11-20T03:22:00
db:	NVD	id:	CVE-2025-60673	date:	2025-11-17T19:03:53.503

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-019494	date:	2025-11-20T00:00:00
db:	NVD	id:	CVE-2025-60673	date:	2025-11-13T19:15:48.167