CVE-2025-60854
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on D-Link R15 (AX1500) routers by manipulating the model name parameter during password change requests. Attackers can gain full control of affected devices, potentially compromising network security. All users running firmware version 1.20.01 or below are affected.
💻 Affected Systems
- D-Link R15 (AX1500)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device takeover allowing attackers to install persistent malware, intercept all network traffic, pivot to internal networks, and use the device as part of a botnet.
Likely Case
Attackers gain shell access to execute commands, potentially installing backdoors, stealing credentials, or using the router for DDoS attacks.
If Mitigated
If proper network segmentation and access controls are in place, impact may be limited to the router itself without lateral movement.
🎯 Exploit Status
Command injection vulnerabilities are frequently weaponized quickly. The CVSS 9.8 score and unauthenticated nature make this highly attractive to attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for latest firmware
Vendor Advisory: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10473
Restart Required: Yes
Instructions:
1. Log into router web interface. 2. Navigate to firmware update section. 3. Download latest firmware from D-Link support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.
🔧 Temporary Workarounds
Disable remote administration
allPrevent external access to web administration interface
Restrict admin access
allLimit admin interface access to specific IP addresses only
🧯 If You Can't Patch
- Segment router on isolated network segment
- Implement strict firewall rules blocking all unnecessary inbound traffic to router
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under System Status or Administration settingsCheck Version:
Check via web interface or SSH if enabled: cat /etc/versionVerify Fix Applied:
Verify firmware version is above 1.20.01 after applying update📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to password change endpoint with model name parameter containing shell metacharacters
- Unexpected process execution from httpd
Network Indicators:
- Unusual outbound connections from router
- Traffic patterns suggesting command and control communication
SIEM Query:
source="router_logs" AND (uri="/goform/formSetDeviceName" OR uri="/goform/formPasswordSetup") AND (param="model_name" OR param="model") AND (value MATCHES "[;&|`$()]+")