CVE-2025-60565
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on D-Link DIR600L routers via a buffer overflow in the schedule configuration function. Attackers can exploit this by sending specially crafted requests to the vulnerable parameter. All users of affected firmware versions are at risk.
💻 Affected Systems
- D-Link DIR600L
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to persistent backdoor installation, network traffic interception, and lateral movement to other devices on the network.
Likely Case
Router crash causing denial of service, or limited code execution allowing configuration changes and credential theft.
If Mitigated
If the router is behind a firewall with strict inbound rules, exploitation risk is reduced but internal attacks remain possible.
🎯 Exploit Status
The GitHub reference contains detailed analysis and proof-of-concept code showing exploitation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: No
Instructions:
Check D-Link's official support page for firmware updates. If available, download the latest firmware and upload it via the router's web interface under Administration > Firmware Update.
🔧 Temporary Workarounds
Disable Remote Management
allPrevents external attackers from accessing the vulnerable interface
Access router web interface > Advanced > Remote Management > Disable
Block Web Interface Ports
linuxBlock access to router management ports (typically 80, 443, 8080)
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
iptables -A INPUT -p tcp --dport 8080 -j DROP
🧯 If You Can't Patch
- Replace the router with a supported model that receives security updates
- Segment the network to isolate the vulnerable router from critical systems
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface: Status > Device Info > Firmware Version. If version is FW116WWb01, the device is vulnerable.Check Version:
curl -s http://router-ip/status.asp | grep -i firmwareVerify Fix Applied:
After updating firmware, verify the version no longer shows FW116WWb01. Test by attempting to trigger the overflow with safe test payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /goform/formSchedule with long curTime parameters
- Router crash/reboot logs
- Multiple failed authentication attempts
Network Indicators:
- HTTP requests with abnormally long parameter values to router IP
- Traffic patterns suggesting port scanning of router management ports
SIEM Query:
source="router.log" AND ("formSchedule" OR "curTime") AND bytes>1000