CVE-2025-60555 – This buffer overflow vulnerability in D-Link DI... (How to Fix)

Q: What is the severity of CVE-2025-60555?

CVE-2025-60555 has a CVSS score of 7.5 (HIGH). This buffer overflow vulnerability in D-Link DIR600L routers allows attackers to execute arbitrary code by sending specially crafted requests to the formSetWizardSelectMode function. It affects users of DIR600L routers with vulnerable firmware who have web management interfaces accessible. Successful exploitation could lead to complete device compromise.

📋 TL;DR

This buffer overflow vulnerability in D-Link DIR600L routers allows attackers to execute arbitrary code by sending specially crafted requests to the formSetWizardSelectMode function. It affects users of DIR600L routers with vulnerable firmware who have web management interfaces accessible. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:

D-Link DIR600L

Versions: FW116WWb01

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires web management interface access. Many users keep default admin credentials.

📦 What is this software?

Dir 600l Firmware by Dlink

View all CVEs affecting Dir 600l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full router compromise, credential theft, network traffic interception, and pivot to internal network.

🟠

Likely Case

Router crash/reboot causing temporary network disruption, or limited code execution if exploit is constrained.

🟢

If Mitigated

Denial of service from crash if exploit fails, or no impact if interface is not accessible.

🌐 Internet-Facing: HIGH - Web management interface often exposed to internet on consumer routers.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or malware on local network.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains detailed analysis and likely exploit code. Buffer overflow via curTime parameter appears straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown - check D-Link security advisories

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates. 2. Download latest firmware for DIR600L. 3. Log into router admin panel. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Wait for router to reboot.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to web management interface

Log into router admin → Advanced → Remote Management → Disable

Change default credentials

all

Use strong admin password to reduce attack surface

Log into router admin → Tools → Admin → Set strong password

🧯 If You Can't Patch

Segment router on isolated network segment
Implement network firewall rules to block access to router web interface (port 80/443)

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router admin panel under Status → Firmware

Check Version:

curl -s http://router-ip/status.cgi | grep firmware

Verify Fix Applied:

Verify firmware version is newer than FW116WWb01 after update

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /formSetWizardSelectMode with long curTime parameters
Router crash/reboot logs

Network Indicators:

Unusual HTTP POST traffic to router port 80/443 with oversized parameters

SIEM Query:

source="router.log" AND "formSetWizardSelectMode" AND (curTime.length > 100 OR status=500)

📊 Metadata

CVE ID: CVE-2025-60555

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.08% exploit probability (23.7th percentile)

Published: October 24, 2025

Last Updated: October 28, 2025

🔗 References

https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/10-buffer%20overflow-formSetWizardSelectMode.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60555, you might also want to check these: