CVE-2025-60671: Critical Command Injection Vulnerability in D-Link DIR-823G Router

Overview

CVE-2025-60671 is a command injection vulnerability affecting the D-Link DIR-823G router, specifically the firmware version DIR823G_V1.0.2B05_20181207.bin. This flaw allows an attacker with write access to the /var/system/linux_vlan_reinit file to execute arbitrary commands on the device. This poses a significant security risk, potentially allowing attackers to gain full control of the router.

Technical Details

The vulnerability resides in the timelycheck and sysconf binaries within the D-Link DIR-823G router’s firmware. These binaries process the /var/system/linux_vlan_reinit file. The core issue is insufficient validation of the content read from this file. While the code performs a prefix check, it’s inadequate to prevent command injection. The validated (but still vulnerable) content is then formatted using vsnprintf() before being executed with the system() function. Consequently, by crafting malicious content within the /var/system/linux_vlan_reinit file, an attacker can inject and execute arbitrary commands with elevated privileges.

The specific steps leading to the vulnerability are:

1. Attacker gains write access to /var/system/linux_vlan_reinit.
2. Attacker crafts a malicious payload containing commands to be executed.
3. The timelycheck or sysconf binary reads the contents of /var/system/linux_vlan_reinit.
4. Insufficient validation is performed.
5. The content is passed to vsnprintf() and then executed using system().
6. The attacker’s commands are executed on the router.

CVSS Analysis

Currently, the CVSS score and severity rating for CVE-2025-60671 are not available (N/A). However, given the nature of the command injection vulnerability and the potential for complete system compromise, it is likely to be rated as High or Critical severity once assessed.

Possible Impact

The exploitation of CVE-2025-60671 can have severe consequences:

• Full Router Control: An attacker can gain complete control over the D-Link DIR-823G router.
• Data Theft: Sensitive information, such as Wi-Fi passwords and network configuration, can be stolen.
• Malware Installation: The router can be used as a platform to install malware, potentially spreading to connected devices.
• Network Manipulation: An attacker can manipulate network traffic, redirecting users to malicious websites or intercepting data.
• Botnet Recruitment: The compromised router can be added to a botnet, participating in distributed denial-of-service (DDoS) attacks.

Mitigation or Patch Steps

The primary mitigation step is to update the D-Link DIR-823G router to a firmware version that addresses this vulnerability. Check the D-Link support website for the latest firmware updates.

1. Check Firmware Version: Log into the router’s web interface and check the current firmware version.
2. Download Firmware: Visit the D-Link official website and download the latest firmware for the DIR-823G router.
3. Apply Update: Follow the instructions provided by D-Link to update the firmware. This usually involves uploading the downloaded firmware file through the router’s web interface.
4. Secure Access: Ensure the router’s web interface is protected with a strong password and that remote access is disabled unless explicitly required.

If an update is not yet available, consider replacing the vulnerable device.

References

• D-Link Official Website
• GitHub Analysis of CVE-2025-60671
• D-Link Website
• D-Link Security Bulletin