CVE-2025-60673

Name of the Vulnerable Software and Affected Versions D-Link DIR-878A1 router firmware versions prior to FW101B04

Description An unauthenticated command injection issue exists in the 'SetDMZSettings' functionality of the D-Link DIR-878A1 router. The IPAddress parameter within the prog.cgi script is vulnerable because it is not properly sanitized before being stored in NVRAM. This parameter is subsequently used by librcm.so to construct iptables commands, which are then executed via the twsystem() function. A remote, unauthenticated attacker can exploit this by sending a crafted HTTP request to execute arbitrary commands on the device.

Recommendations Update to firmware version FW101B04 or later.