D-Link is warning of three remotely exploitable command execution vulnerabilities that affect all models and hardware revisions of its DIR-878 router, which has reached end-of-service but is still available in several markets.
Technical details and proof-of-concept (PoC) exploit code demonstrating the vulnerabilities have been published by a researcher using the name Yangyifan.
Typically used in homes and small offices, the DIR-878 was hailed as a high-performance dual-band wireless router when it launched in 2017.
Even if the device is no longer supported, it can still be purchased new or used for prices between $75 and $122.
However, as DIR-878 has reached end-of-life (EoL) in 2021, D-Link warned that it will not release security updates for this model and recommends replacing it with an actively supported product.
In total, D-Link's security advisory lists four vulnerabilities, only one of them requiring physical access or control over a USB device for exploitation.
CVE-2025-60672 – Remote unauthenticated command execution via SetDynamicDNSSettings parameters stored in NVRAM and used in system commands.
– Remote unauthenticated command execution via SetDynamicDNSSettings parameters stored in NVRAM and used in system commands. CVE-2025-60673 – Remote unauthenticated command execution via SetDMZSettings and unsanitized IPAddress value injected into iptables commands.
– Remote unauthenticated command execution via SetDMZSettings and unsanitized IPAddress value injected into iptables commands. CVE-2025-60674 – Stack overflow in USB storage handling due to oversized “Serial Number” field (physical or USB-device-level attack).
– Stack overflow in USB storage handling due to oversized “Serial Number” field (physical or USB-device-level attack). CVE-2025-60676 – Arbitrary command execution via unsanitized fields in /tmp/new_qos.rule, processed by binaries using system().
... continue reading