CVE-2025-60701 – This CVE describes a command injection vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-60701?

CVE-2025-60701 has a CVSS score of 6.5 (MEDIUM). This CVE describes a command injection vulnerability in D-Link DIR-882 router firmware that allows unauthenticated remote attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted HTTP requests to the router's web interface. All users of affected D-Link DIR-882 routers with vulnerable firmware are at risk.

📋 TL;DR

This CVE describes a command injection vulnerability in D-Link DIR-882 router firmware that allows unauthenticated remote attackers to execute arbitrary commands on the device. Attackers can exploit this by sending specially crafted HTTP requests to the router's web interface. All users of affected D-Link DIR-882 routers with vulnerable firmware are at risk.

💻 Affected Systems

Products:

D-Link DIR-882 Router

Versions: Firmware version DIR882A1_FW102B02

Operating Systems: Embedded Linux-based router OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration. No special configuration required for exploitation.

📦 What is this software?

Dir 882 Firmware by Dlink

View all CVEs affecting Dir 882 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to install persistent malware, intercept all network traffic, pivot to internal network devices, or use the router as part of a botnet.

🟠

Likely Case

Router compromise leading to network traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access, though internal attackers could still exploit.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available on GitHub. Exploitation requires sending HTTP requests to router web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dlink.com/en/security-bulletin/

Restart Required: Yes

Instructions:

1. Check D-Link security bulletin for patch availability. 2. If patch available, download from D-Link support site. 3. Log into router admin interface. 4. Navigate to firmware update section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router web interface

Restrict Web Interface Access

all

Limit access to router admin interface to trusted IPs only

🧯 If You Can't Patch

Replace affected router with different model
Place router behind firewall with strict inbound rules blocking web interface access

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is DIR882A1_FW102B02, device is vulnerable.

Check Version:

Log into router web interface and check System Status or Firmware Update section

Verify Fix Applied:

Verify firmware version has been updated to a version later than DIR882A1_FW102B02.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to prog.cgi with email parameters
Multiple failed login attempts followed by successful command execution
Unusual system commands in router logs

Network Indicators:

HTTP requests containing shell metacharacters in email parameters
Outbound connections from router to unexpected destinations
Unusual traffic patterns from router

SIEM Query:

source="router_logs" AND (uri="/prog.cgi" AND (param="EmailFrom" OR param="EmailTo" OR param="SMTPServerAddress" OR param="SMTPServerPort" OR param="AccountName") AND value MATCHES "[;&|`$()]"

📊 Metadata

CVE ID: CVE-2025-60701

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-77

EPSS Score: 0.18% exploit probability (39.5th percentile)

Published: November 13, 2025

Last Updated: November 17, 2025

🔗 References

https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/1.md Broken Link
https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60701.md Exploit,Third Party Advisory
https://www.dlink.com Product
https://www.dlink.com/en/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60701, you might also want to check these: