Analysis Summary

D-Link DIR-878 routers are affected by multiple critical vulnerabilities across all models and firmware versions. These devices reached their end-of-life on January 31, 2021, and no longer receive security updates or technical support from D-Link Corporation. The vulnerabilities allow remote attackers to gain full control over affected routers without requiring authentication, making them highly dangerous for both home and organizational networks.

Among the most severe flaws, CVE-2025-60672 and CVE-2025-60673 are command injection vulnerabilities in the router’s CGI web interface. Attackers can exploit the SetDynamicDNSSettings and SetDMZSettings functions by sending specially crafted HTTP requests, leading to arbitrary code execution. The first flaw arises from improper handling of the ServerAddress and Hostname parameters, stored in NVRAM without sanitization, while the second affects the IPAddress parameter in DMZ settings, which is improperly validated by the librcm.so library. Both carry critical CVSS scores of high, highlighting the high risk of unauthenticated remote exploitation.

Additional vulnerabilities include CVE-2025-60674, a stack buffer overflow in the rc binary’s USB storage-handling module triggered by improperly read USB serial numbers. This flaw requires physical access or a controlled USB device but allows arbitrary code execution. CVE-2025-60676 impacts the timelycheck and sysconf binaries, enabling attackers with write access to /tmp/new_qos to execute arbitrary commands due to insufficient validation of text input. These issues collectively demonstrate the router’s susceptibility to remote and local attacks, potentially compromising connected devices.

D-Link strongly recommends that users upgrade to current-generation products or perform comprehensive data backups immediately. Organizations using DIR-878 routers should isolate them from untrusted networks and enforce restrictive firewall rules. For users unable to upgrade, ensuring the device runs the latest available firmware, using strong and unique administrative passwords, and enabling Wi-Fi encryption are essential mitigation steps. Continued use of these end-of-life routers poses significant security risks to all connected systems.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-60672

• CVE-2025-60673

• CVE-2025-60674

• CVE-2025-60676

Affected Vendors

Remediation

• Ensure the latest available firmware is installed on all DIR-878 routers if replacement is not immediately possible.
• Replace DIR-878 routers with current-generation devices that are actively supported by the manufacturer.
• Isolate affected routers from untrusted networks, including the internet and guest Wi-Fi networks.
• Implement strict firewall rules to limit inbound and outbound traffic to only trusted sources.
• Use strong, unique passwords for router administration accounts.
• Enable Wi-Fi encryption (WPA3 or WPA2 at minimum) to prevent unauthorized access.
• Perform comprehensive backups of router configurations and critical network data.
• Restrict access to USB ports and the router itself to prevent exploitation of physical vulnerabilities.
• Regularly monitor router logs for unusual activity or unauthorized configuration changes.
• Recognize that continued use of end-of-life devices carries inherent security risks and plan replacement accordingly.