CVE-2025-60331 – A buffer overflow vulnerability exists in the F... (How to Fix)

Q: What is the severity of CVE-2025-60331?

CVE-2025-60331 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability exists in the FillMacCloneMac parameter of the /EXCU_SHELL endpoint on D-Link DIR-823G A1 routers running firmware v1.0.2B05. Attackers can exploit this by sending crafted inputs to cause a Denial of Service (DoS), potentially crashing the device. This affects all users of the specified router model and firmware version.

📋 TL;DR

A buffer overflow vulnerability exists in the FillMacCloneMac parameter of the /EXCU_SHELL endpoint on D-Link DIR-823G A1 routers running firmware v1.0.2B05. Attackers can exploit this by sending crafted inputs to cause a Denial of Service (DoS), potentially crashing the device. This affects all users of the specified router model and firmware version.

💻 Affected Systems

Products:

D-Link DIR-823G A1

Versions: v1.0.2B05

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the firmware itself, so all devices running this version are affected regardless of configuration.

📦 What is this software?

Dir 823g Firmware by Dlink

View all CVEs affecting Dir 823g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device crash requiring physical reboot, potential remote code execution if the overflow can be controlled precisely (though not indicated in description).

🟠

Likely Case

Denial of Service causing router reboot and network disruption for connected devices.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted access to management interface.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and the /EXCU_SHELL endpoint may be accessible from WAN if remote management is enabled.

🏢 Internal Only: MEDIUM - Attackers on the local network could exploit this to disrupt network connectivity.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public PoC exists on GitHub, making exploitation straightforward for attackers with basic skills. The description suggests unauthenticated access to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Check D-Link security bulletin for firmware updates. 2. Download updated firmware from D-Link support site. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply the new firmware. 6. Wait for router to reboot.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router management interface

Log into router admin → System → Remote Management → Disable

Restrict Management Access

all

Limit management interface access to specific IP addresses

Log into router admin → Firewall → Access Control → Add rules to restrict admin access

🧯 If You Can't Patch

Replace affected router with a different model that receives security updates
Isolate router in separate network segment with strict firewall rules blocking access to management ports

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System → Firmware

Check Version:

curl -s http://router-ip/status.html | grep Firmware

Verify Fix Applied:

Verify firmware version has been updated to a version later than v1.0.2B05

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /EXCU_SHELL endpoint
Router crash/reboot events in system logs
Unusual POST requests with large FillMacCloneMac parameter

Network Indicators:

HTTP POST requests to router IP on port 80/443 targeting /EXCU_SHELL
Sudden loss of connectivity to router management interface

SIEM Query:

source="router_logs" AND (uri="/EXCU_SHELL" OR message="reboot" OR message="crash")

📊 Metadata

CVE ID: CVE-2025-60331

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.04% exploit probability (11.3th percentile)

Published: October 22, 2025

Last Updated: October 24, 2025

🔗 References

https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/DIR823G/FillMacCloneMac/FillMacCloneMac.md Exploit,Third Party Advisory
https://www.dlink.com/en/security-bulletin/ Vendor Advisory
https://github.com/z472421519/BinaryAudit/blob/main/PoC/BOF/DIR823G/FillMacCloneMac/FillMacCloneMac.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60331, you might also want to check these: