PT-2025-46885 · D Link · D-Link Dir-878A1
Published
2025-11-13
·
Updated
2025-11-23
·
CVE-2025-60672
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
D-Link DIR-878A1 router firmware versions prior to FW101B04
Description
An unauthenticated command injection issue exists in the D-Link DIR-878A1 router firmware. The problem is located in the
SetDynamicDNSSettings functionality. Specifically, the ServerAddress and Hostname parameters within the prog.cgi script are not properly sanitized before being stored in NVRAM. These parameters are subsequently used by rc to build and execute system commands via the twsystem() function. A remote attacker can exploit this without authentication by sending a crafted HTTP request, resulting in arbitrary command execution on the device.Recommendations
Update to firmware version FW101B04 or later.
Exploit
Fix
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
D-Link Dir-878A1