CVE-2025-60563 – This buffer overflow vulnerability in D-Link DI... (How to Fix)

Q: What is the severity of CVE-2025-60563?

CVE-2025-60563 has a CVSS score of 7.5 (HIGH). This buffer overflow vulnerability in D-Link DIR600L routers allows attackers to execute arbitrary code by sending specially crafted requests to the formSetPortTr function. It affects users of D-Link DIR600L routers running specific vulnerable firmware versions. Successful exploitation could lead to complete device compromise.

📋 TL;DR

This buffer overflow vulnerability in D-Link DIR600L routers allows attackers to execute arbitrary code by sending specially crafted requests to the formSetPortTr function. It affects users of D-Link DIR600L routers running specific vulnerable firmware versions. Successful exploitation could lead to complete device compromise.

💻 Affected Systems

Products:

D-Link DIR600L

Versions: FW116WWb01

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version mentioned; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

Dir 600l Firmware by Dlink

View all CVEs affecting Dir 600l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full router compromise, credential theft, network pivoting, and persistent backdoor installation.

🟠

Likely Case

Router crash/reboot causing temporary network disruption, or limited code execution for reconnaissance.

🟢

If Mitigated

Denial of service if exploit fails but triggers crash, or blocked by network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and this appears to be an unauthenticated vulnerability.

🏢 Internal Only: MEDIUM - Could be exploited from internal networks if attacker gains access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public GitHub repository contains detailed analysis and likely exploit code. Buffer overflow via curTime parameter suggests straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown - No D-Link advisory found at time of analysis

Restart Required: Yes

Instructions:

1. Check D-Link support site for firmware updates. 2. Download latest firmware for DIR600L. 3. Access router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Access router admin → Advanced → Remote Management → Disable

Network segmentation

all

Isolate router management interface from untrusted networks

🧯 If You Can't Patch

Replace affected router with supported model
Implement strict firewall rules blocking access to router admin interface from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface under Status → Firmware

Check Version:

Check router web interface or use nmap/router scanning tools

Verify Fix Applied:

Verify firmware version is updated beyond FW116WWb01

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to formSetPortTr with malformed curTime parameter
Router crash/reboot logs
Unusual outbound connections from router

Network Indicators:

HTTP requests containing long curTime parameters to router admin interface
Port 80/443 traffic to router with exploit patterns

SIEM Query:

source_ip="router_ip" AND (uri_path="*formSetPortTr*" AND param_length>100) OR event_type="device_reboot"

📊 Metadata

CVE ID: CVE-2025-60563

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

EPSS Score: 0.08% exploit probability (23.7th percentile)

Published: October 24, 2025

Last Updated: October 27, 2025

🔗 References

https://github.com/luckysmallbird/DLINK-DIR600LAx-Vulnerability/blob/main/18-buffer%20overflow-formSetPortTr.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60563, you might also want to check these: