- Description
- An unauthenticated command injection vulnerability exists in the D-Link DIR-878A1 router firmware FW101B04.bin. The vulnerability occurs in the 'SetNetworkSettings' functionality of prog.cgi, where the 'IPAddress' and 'SubnetMask' parameters are directly concatenated into shell commands executed via system(). An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.
- Source
- cve@mitre.org
- NVD status
- Analyzed
- Products
- dir-878_firmware
CVSS 3.1
- Type
- Secondary
- Base score
- 6.5
- Impact score
- 2.5
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- 134c704f-9b21-4f2e-91b3-4a467353bcc0
- CWE-77
- Hype score
- Not currently trending
csirt_it: โผ #D-Link: disponibili #PoC per lo sfruttamento delle CVE-2025-60672, CVE-2025-60673, CVE-2025-60674 e CVE-2025-60676 che interessano il #router DIR-878 Rischio: ๐ด Tipologia: ๐ธ Remote Code Execution ๐ธ Arbitrary Code Execution ๐ โฆ https://t.co/sCJZ5Niu
@Vulcanux_
19 Nov 2025
39 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
โผ #D-Link: disponibili #PoC per lo sfruttamento delle CVE-2025-60672, CVE-2025-60673, CVE-2025-60674 e CVE-2025-60676 che interessano il #router DIR-878 Rischio: ๐ด Tipologia: ๐ธ Remote Code Execution ๐ธ Arbitrary Code Execution ๐ https://t.co/9ShXXMYajN https://t.c
@csirt_it
19 Nov 2025
1 Impression
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dlink:dir-878_firmware:1.01b04:*:*:*:*:*:*:*",
"matchCriteriaId": "CF6C5938-ACC7-4DD4-B3EF-AD64468AD60F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dlink:dir-878:a1:*:*:*:*:*:*:*",
"matchCriteriaId": "70A35F2E-E46F-47CF-BF0F-9CF9A3242EDC",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
]