Security Vulnerability Report
中文
CVE-2025-60700 CVSS 6.5 MEDIUM

CVE-2025-60700

Published: 2025-11-13 18:15:54
Last Modified: 2025-11-17 12:28:41
Source: [email protected]

Description

A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `librcm.so` binaries. The `sub_4455BC` function in `prog.cgi` stores user-supplied `SetDMZSettings/IPAddress` values in NVRAM via `nvram_safe_set("dmz_ipaddr", ...)`. These values are later retrieved in the `DMZ_run` function of `librcm.so` using `nvram_safe_get` and concatenated into `iptables` shell commands executed via `twsystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:o:dlink:dir-882_firmware:1.02b02:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:dlink:dir-882:a1:*:*:*:*:*:*:* - NOT VULNERABLE
DIR882A1_FW102B02

PoC / Exploit Code

No PoC code available.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-60700", "sourceIdentifier": "[email protected]", "published": "2025-11-13T18:15:54.010", "lastModified": "2025-11-17T12:28:40.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the D-Link DIR-882 Router firmware DIR882A1_FW102B02 within the `prog.cgi` and `librcm.so` binaries. The `sub_4455BC` function in `prog.cgi` stores user-supplied `SetDMZSettings/IPAddress` values in NVRAM via `nvram_safe_set(\"dmz_ipaddr\", ...)`. These values are later retrieved in the `DMZ_run` function of `librcm.so` using `nvram_safe_get` and concatenated into `iptables` shell commands executed via `twsystem()` without any sanitization. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary commands on the device through specially crafted HTTP requests to the router's web interface."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:dlink:dir-882_firmware:1.02b02:*:*:*:*:*:*:*", "matchCriteriaId": "5D969AE6-54B1-4A8C-8A2D-8C8B0C3EF9B2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:dlink:dir-882:a1:*:*:*:*:*:*:*", "matchCriteriaId": "90575122-CE47-42E5-BCE3-6444599B16B3"}]}]}], "references": [{"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/3.md", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-882/CVE-2025-60700.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.dlink.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.dlink.com/en/security-bulletin/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.