CVE-2025-60701

Name of the Vulnerable Software and Affected Versions D-Link DIR-882 Router firmware versions prior to DIR882A1 FW102B02

Description A command injection issue exists in the D-Link DIR-882 Router firmware. The sub 433188 function within the prog.cgi binary stores user-provided email configuration parameters – EmailFrom, EmailTo, SMTPServerAddress, SMTPServerPort, and AccountName – in NVRAM using nvram safe set. Subsequently, the sub 448FDC function in the rc binary retrieves these values using nvram safe get and incorporates them into shell commands executed via twsystem() without proper sanitization. An unauthenticated remote attacker can leverage this to execute arbitrary commands on the device by sending crafted HTTP requests to the router’s web interface.

Recommendations Update the D-Link DIR-882 Router firmware to version DIR882A1 FW102B02 or later.