D-Link has disclosed four critical vulnerabilities in its DIR-878 router series, which reached end-of-life status over four years ago, allowing attackers to execute remote code without authentication.
These flaws affect all hardware revisions and firmware versions worldwide, posing severe risks to users still relying on these outdated devices.
Published on November 17, 2025, under security advisory SAP10475, the report states that no patches will be issued due to the product’s end-of-service lifecycle, which ends on January 31, 2021.
The DIR-878, a popular dual-band Wi-Fi router, handles home and small office networks but lacks ongoing support from D-Link.
Security researchers identified these issues through third-party analysis, revealing how attackers could compromise the device via crafted HTTP requests or physical access.
Since the router is end-of-life, continued use exposes networks to potential breaches, including data theft or malware deployment.
D-Link urges immediate replacement to mitigate threats from these unpatched weaknesses.
Vulnerability Details
The most dangerous flaws enable remote code execution, allowing hackers to inject malicious commands that fully control the router.
CVE-2025-60672, rated at a critical CVSS score of 9.8, targets the SetDynamicDNSSettings function in the program cgi script.
Attackers send unauthenticated HTTP requests that manipulate the ServerAddress and Hostname parameters stored in NVRAM.
Later, the rc daemon retrieves these values to build system commands executed through the twsystem() function, allowing arbitrary code without needing login credentials.
This could let remote foes alter network settings or install backdoors seamlessly.
Similarly, CVE-2025-60673 also scores 9.8 on CVSS and exploits the SetDMZSettings feature in prog.cgi.
Here, the IPAddress input is saved to NVRAM and used by the librcm. So, library to form iptables firewall rules via twsystem().
A specially crafted request bypasses authentication, injecting commands that run with root privileges, potentially compromising the router.
Both vulnerabilities stem from improper input sanitization in command construction, a common issue in legacy embedded systems.
CVE-2025-60674 involves a stack buffer overflow in the rc binary’s USB handling module, earning a high severity rating.
When processing a USB device’s Serial Number, the code uses sscanf() on a 64-byte buffer but reads up to 127 bytes via fgets(), overflowing the stack.
An attacker with physical access inserts a malicious USB drive to trigger code execution, which might chain with other flaws for broader attacks.
Though not remote, it remains dangerous in shared environments like offices.
Finally, CVE-2025-60676, with a CVSS score of 8.8, affects the timelycheck and sysconf binaries that parse/tmp/new_qos.rule file for quality-of-service settings.
Unsanitized fields from this config are directly concatenated into system calls, enabling command injection if an attacker writes to the file.
Local access alone is sufficient, but combined with remote flaws, it amplifies risks.
| CVE ID | Description | CVSS Score | Attack Vector |
| CVE-2025-60672 | Command injection via Dynamic DNS settings | 9.8 (Critical) | Network (Remote) |
| CVE-2025-60673 | Command injection via DMZ settings | 9.8 (Critical) | Network (Remote) |
| CVE-2025-60674 | Stack overflow in USB handling | 7.8 (High) | Physical |
| CVE-2025-60676 | Command injection in QoS config | 8.8 (High) | Local |
Recommendations For Users
D-Link recommends transitioning to modern routers with active support, as the DIR-878 no longer receives updates or technical assistance.
Users should back up data and contact regional offices for migration advice via the D-Link website.
If replacement isn’t immediate, apply the latest firmware from the legacy support page, though it won’t fix these vulnerabilities.
Strengthen security by changing default passwords, enabling WPA3 encryption, and isolating the device on the network.
Continued use of EOL products like the DIR-878 heightens exposure to exploits, especially amid the rise in IoT attacks.
Organizations should scan networks for these routers using tools like Shodan and prioritize upgrades.
While resolved in the sense of disclosure, the lack of patches means proactive replacement is essential to avoid real-world compromises.
Staying vigilant with firmware checks and strong credentials remains key until full retirement.
