D-Link DIR-878 routers have critical RCE flaws
▼ Summary
– D-Link has disclosed three remotely exploitable command execution vulnerabilities affecting all DIR-878 router models, which are end-of-service but still sold.
– The vulnerabilities include CVE-2025-60672 and CVE-2025-60673 for remote unauthenticated command execution and CVE-2025-60676 for arbitrary command execution via unsanitized fields.
– One vulnerability, CVE-2025-60674, requires physical access or USB device control and involves a stack overflow from an oversized Serial Number field.
– CISA rates these vulnerabilities as medium-severity, but publicly available exploit code increases the risk of exploitation by threat actors like botnets.
– The DIR-878 router reached end-of-life in 2021, so D-Link will not release security updates and recommends replacing the device with a supported model.
D-Link has issued a critical security alert concerning its DIR-878 wireless router, identifying three severe vulnerabilities that allow remote command execution without requiring authentication. These security flaws impact every hardware version and model of the DIR-878, a device that is no longer receiving manufacturer support but remains available for purchase in various regions. A security researcher known as Yangyifan has already released technical specifics and functional exploit code, increasing the risk of active attacks.
Initially released in 2017, the DIR-878 was marketed as a high-performance dual-band router suitable for home offices and small businesses. Although D-Link officially discontinued support for this model in 2021, new and used units are still being sold at prices ranging from $75 to $122. The manufacturer has confirmed it will not provide security patches and advises customers to upgrade to a currently supported router model.
D-Link’s security advisory outlines a total of four vulnerabilities. Three of these can be exploited remotely, while the fourth requires either physical access to the router or control over a connected USB storage device. The remotely exploitable flaws are particularly dangerous because they do not require the attacker to have login credentials.
One vulnerability, tracked as CVE-2025-60672, enables unauthenticated remote command execution by manipulating parameters in the SetDynamicDNSSettings function. These parameters are stored in non-volatile memory and later used in system-level commands. Another, identified as CVE-2025-60673, also permits remote command execution through the SetDMZSettings feature, where an unsanitized IP address value is directly injected into iptables commands.
A third remote flaw, CVE-2025-60676, allows arbitrary command execution via unsanitized input fields written to the file /tmp/new_qos.rule, which is then processed by system binaries using the system() function. The fourth issue, CVE-2025-60674, is a stack-based buffer overflow triggered when a USB storage device with an overly long “Serial Number” field is connected. This requires either physical access or control over the USB device itself.
Although the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has assigned these vulnerabilities a medium-severity rating, the public release of exploit code significantly raises the threat level. Cybercriminals, especially botnet operators, frequently incorporate newly published exploits into their attack toolkits to target vulnerable devices on a large scale.
For example, the RondoDox botnet is known to leverage more than 56 known security flaws, including several affecting older D-Link products, and continuously integrates new vulnerabilities. More recently, security outlets reported on the Aisuru botnet, which executed a massive distributed denial-of-service attack targeting Microsoft’s Azure infrastructure. That incident involved over 500,000 unique IP addresses and reached a peak traffic volume of 15.72 terabits per second.
(Source: Bleeping Computer)
