CVE-2025-60548 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-60548?

CVE-2025-60548 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on D-Link DIR600L routers by exploiting a buffer overflow in the formLanSetupRouterSettings function. Attackers can achieve remote code execution with high privileges by sending specially crafted requests to the vulnerable parameter. All users of affected D-Link DIR600L routers with the vulnerable firmware are at risk.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on D-Link DIR600L routers by exploiting a buffer overflow in the formLanSetupRouterSettings function. Attackers can achieve remote code execution with high privileges by sending specially crafted requests to the vulnerable parameter. All users of affected D-Link DIR600L routers with the vulnerable firmware are at risk.

💻 Affected Systems

Products:

D-Link DIR600L

Versions: FW116WWb01

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Dir 600l Firmware by Dlink

View all CVEs affecting Dir 600l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router leading to persistent remote access, network traffic interception, credential theft, and pivot to internal network devices.

🟠

Likely Case

Router takeover enabling DNS hijacking, credential harvesting, and deployment of malware to connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access, though internal attackers could still exploit.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.

🏢 Internal Only: HIGH - The vulnerability can be exploited from the LAN side without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub demonstrates exploitation. No authentication required to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates. 2. Download latest firmware for DIR600L. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Wait for router to reboot.

🔧 Temporary Workarounds

Disable remote administration

all

Prevents external attackers from accessing the vulnerable interface

Restrict LAN access

all

Use firewall rules to limit which devices can access the router admin interface

🧯 If You Can't Patch

Replace affected router with supported model
Isolate router in separate VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under System or Maintenance section

Check Version:

Check via web interface or use nmap to identify firmware version

Verify Fix Applied:

Verify firmware version has been updated to a version later than FW116WWb01

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to formLanSetupRouterSettings
Large payloads in curTime parameter
Router crash/reboot events

Network Indicators:

HTTP requests with oversized curTime parameter values
Traffic to router admin interface from unexpected sources

SIEM Query:

source="router_logs" AND (uri="*formLanSetupRouterSettings*" AND content_length>1000)

📊 Metadata

CVE ID: CVE-2025-60548

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

EPSS Score: 0.16% exploit probability (36.8th percentile)

Published: October 24, 2025

Last Updated: October 28, 2025

🔗 References

https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/01-buffer%20overflow-formLanSetupRouterSettings.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60548, you might also want to check these: