D-Link DIR-878 Reaches EOL: 3 Unpatched RCE Flaws Allow Unauthenticated Remote Command Execution
Ddos 
D-Link has issued a security advisory warning users of the DIR-878 router series that multiple newly disclosed vulnerabilities—including three unauthenticated remote command execution flaws—will not be patched, as the product reached End-of-Life (EOL) and End-of-Service (EOS) years earlier. The company strongly urges customers to replace the device immediately.
The advisory discloses four vulnerabilities across the DIR-878 firmware, three of which allow unauthenticated remote attackers to execute arbitrary system commands by abusing CGI parameters or configuration files. Despite the severity, none of the vulnerabilities will receive fixes due to the EOL status.
CVE-2025-60672 — Dynamic DNS Command Injection (Unauthenticated RCE)
The first vulnerability targets the router’s SetDynamicDNSSettings function.
According to the advisory, “The ‘ServerAddress’ and ‘Hostname’ parameters in prog.cgi are stored in NVRAM and later used by rc to construct system commands executed via twsystem().”
D-Link warns that: “An attacker can exploit this vulnerability remotely without authentication by sending a specially crafted HTTP request, leading to arbitrary command execution on the device.”
This allows full device compromise with no password required.
CVE-2025-60673 — DMZ Parameter Injection (Unauthenticated RCE)
A second flaw opens the door to similar command injection through the SetDMZSettings functionality.
Per the advisory, “The ‘IPAddress’ parameter in prog.cgi is stored in NVRAM and later used by librcm.so to construct iptables commands executed via twsystem().”
And again, D-Link confirms the severity: “An attacker can exploit this vulnerability remotely without authentication… leading to arbitrary command execution.”
CVE-2025-60674 — USB Serial Number Buffer Overflow (Physical Exploit)
Unlike the first two, CVE-2025-60674 requires physical access or control over a malicious USB device.
The advisory describes the issue: “The vulnerability occurs when the ‘Serial Number’ field from a USB device is read via sscanf into a 64-byte stack buffer, while fgets reads up to 127 bytes, causing a stack overflow.”
This enables a well-crafted USB stick to potentially execute arbitrary code on the router.
CVE-2025-60676 — QoS Rule Injection Leads to RCE
A fourth flaw exists within the router’s QoS configuration handling within timelycheck and sysconf binaries.
According to the advisory, “The vulnerability occurs because parsed fields from the /tmp/new_qos.rule configuration file are concatenated into command strings and executed via system() without any sanitization.”
Thus: “An attacker with write access to /tmp/new_qos.rule can execute arbitrary commands on the device.”
This could be exploited by attackers who have already gained limited access via another flaw.
No Patches Coming — Users Advised to Replace Router Immediately
D-Link’s advisory makes clear that all DIR-878 hardware is sunset: “In line with industry practice, D-Link may periodically determine that certain products have reached a stage where further support or development is no longer attainable.”
Users are urged to take one of the following steps:
- Transition to a current-generation product
- Perform comprehensive data backup
- Contact a D-Link regional office for further recommendations
Because these vulnerabilities enable unauthenticated remote command execution, continued use of the DIR-878 series poses significant risk—especially if the device is exposed to the internet.
Donate