D-Link Warns of RCE Vulnerabilities in Older DIR-878 Routers
D-Link Warns of RCE Vulnerabilities in Older DIR-878 Routers
D-Link has issued a warning about three separate remote code execution (RCE) vulnerabilities in the DIR-878 router. The issues affect all models and hardware revisions of these routers. However, the devices have been unsupported since 2021, so patches will not be released. Instead, the company recommends that owners replace the vulnerable routers.
Vulnerability Details
A security researcher using the handle Yangyifan has published technical details and proof-of-concept (PoC) exploits for four vulnerabilities in DIR-878 routers, three of which can be exploited remotely:
- CVE-2025-60672 — Unauthenticated remote command execution via the
SetDynamicDNSSettingsparameters stored in NVRAM. - CVE-2025-60673 — Unauthenticated remote command execution via
SetDMZSettingsand an unsanitizedIPAddressvalue that is injected intoiptablescommands. - CVE-2025-60676 — Arbitrary command execution via unsanitized fields in
/tmp/new_qos.rule.
A fourth vulnerability, CVE-2025-60674, is related to a stack-based buffer overflow during USB storage processing and requires physical access to exploit.
Device Background
The DIR-878 model was first released in 2017 and was marketed as a high-performance dual-band router. Despite the devices reaching end-of-support in 2021, they can still be purchased both new and used.
Threat Assessment
Although CISA rates the vulnerabilities discovered by Yangyifan as medium severity, the availability of public exploits makes the DIR-878 an attractive target for botnet operators. For example, the RondoDox botnet exploits over 56 different vulnerabilities in its attacks, including bugs in D-Link devices.
Vendor Response and Recommendations
Representatives from D-Link confirmed they will not be releasing security updates for the end-of-life DIR-878 and strongly recommend that users replace the devices with actively supported models. Users who cannot immediately upgrade their hardware should disable the router's remote management feature and restrict access to the device's web interface.
