D-Link is warning of three remotely exploitable command execution vulnerabilities that affect all models and hardware revisions of its DIR-878 router, which has reached end-of-service but is still available in several markets.
Technical details and proof-of-concept (PoC) exploit code demonstrating the vulnerabilities have been published by a researcher using the name Yangyifan.
Typically used in homes and small offices, the DIR-878 was hailed as a high-performance dual-band wireless router when it launched in 2017.
Even if the device is no longer supported, it can still be purchased new or used for prices between $75 and $122.
However, as DIR-878 has reached end-of-life (EoL) in 2021, D-Link warned that it will not release security updates for this model and recommends replacing it with an actively supported product.
In total, D-Link’s security advisory lists four vulnerabilities, only one of them requiring physical access or control over a USB device for exploitation.
- CVE-2025-60672 – Remote unauthenticated command execution via SetDynamicDNSSettings parameters stored in NVRAM and used in system commands.
- CVE-2025-60673 – Remote unauthenticated command execution via SetDMZSettings and unsanitized IPAddress value injected into iptables commands.
- CVE-2025-60674 – Stack overflow in USB storage handling due to oversized “Serial Number” field (physical or USB-device-level attack).
- CVE-2025-60676 – Arbitrary command execution via unsanitized fields in /tmp/new_qos.rule, processed by binaries using system().
Despite being remotely exploitable, and exploit code already publicly available, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has assessed that the vulnerabilities have a medium-severity score.
However, a publicly available exploit typically captures threat actors’ attention, especially botnet operators, who usually include them in their arsenal to expand targeting.
For instance, the large-scale botnet RondoDox uses more than 56 known flaws, some affecting D-Link devices, and keeps adding more of them.
More recently, BleepingComputer reported on the Aisuru botnet, which launched a massive distributed denial-of-service (DDoS) attack against Microsoft’s Azure network, sending 15.72 terabits per second (Tbps) from over 500,000 IP addresses.
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
