Overview
A critical command injection vulnerability, identified as CVE-2025-60700, has been discovered in the D-Link DIR-882 Router running firmware version DIR882A1_FW102B02. This flaw allows unauthenticated remote attackers to execute arbitrary commands on the affected device. The vulnerability resides within the `prog.cgi` and `librcm.so` binaries, specifically related to the DMZ settings.
Technical Details
The vulnerability stems from insufficient input sanitization when handling user-supplied data related to DMZ settings. Here’s a breakdown:
- The `sub_4455BC` function within `prog.cgi` stores the IP address provided by the user through the `SetDMZSettings/IPAddress` parameter in the NVRAM (Non-Volatile Random-Access Memory) using the `nvram_safe_set(“dmz_ipaddr”, …)` function.
- Subsequently, the `DMZ_run` function in `librcm.so` retrieves this stored IP address using `nvram_safe_get`.
- Crucially, this retrieved value is then directly concatenated into an `iptables` shell command. This command is executed using the `twsystem()` function. Because the `dmz_ipaddr` is not sanitized, an attacker can inject arbitrary shell commands.
- Because no authentication is required, a remote attacker can send specially crafted HTTP requests to exploit this vulnerability.
This lack of sanitization allows an attacker to inject arbitrary commands that will be executed with elevated privileges on the router.
CVSS Analysis
Currently, a CVSS score is not available (N/A). However, given the ability to execute arbitrary commands without authentication, this vulnerability is likely to be rated as Critical severity once a CVSS score is assigned.
Possible Impact
Successful exploitation of this vulnerability can have severe consequences, including:
- Complete compromise of the router: Attackers can gain full control of the router’s operating system.
- Data exfiltration: Sensitive information stored on the router or passing through it can be stolen.
- Malware deployment: The router can be used as a platform to deploy malware onto the local network or to participate in botnets.
- Denial of service (DoS): The router’s functionality can be disrupted, rendering it unusable.
- Network manipulation: Attackers can redirect traffic, intercept communications, and perform other malicious activities on the network.
Mitigation or Patch Steps
The primary mitigation strategy is to update the router’s firmware to a version that addresses this vulnerability. D-Link has likely released a security bulletin and firmware update. Please follow these steps:
- Check for Firmware Updates: Visit the D-Link website and navigate to the support page for the DIR-882 router.
- Download and Install the Latest Firmware: Download the latest available firmware version. Carefully follow the instructions provided by D-Link for updating the firmware.
- Consult D-Link Security Bulletin: Refer to the D-Link Security Bulletin page for specific details and instructions related to CVE-2025-60700.
- Disable Remote Management (If Possible): If not needed, disable the remote management feature of the router to reduce the attack surface.
- Monitor Network Traffic: Keep an eye on your network traffic for any suspicious activity.
Important: It is crucial to apply the firmware update as soon as possible to protect your router and network from potential attacks.
