At a glance: Critical, unauthenticated RCE flaws in D-Link’s DIR-878 060 router series now have public PoC exploits available. No patches exist for these EOL devices. Replace legacy hardware and disable remote management where possible. Field Effect MDR users will be alerted via ARO if vulnerable systems are detected.
On November 17, 2025, D-Link published advisory SAP10475 disclosing four critical vulnerabilities affecting its DIR-878 060 router series.
D-Link DIR-878 060 series is a dual-band wireless router commonly deployed in small office and home office environments. All models, revisions, and firmware belonging to this router series, including derivative models, reached end-of-life (EOL) or end-of-service-life (EOSL) in 2021.
Public proof-of-concept (PoC) exploits were released on GitHub on November 13, 2025, four days prior to the vendor advisory.
The flaws, tracked as CVE-2025-60672, CVE-2025-60673, CVE-2025-60674, and CVE-2025-60676, are a result of how the router’s web interface processes incoming requests. It allows external inputs to be executed as system-level commands, exposing the device to remote command execution (RCE) without requiring authentication. The attack vector involves sending HTTP POST requests with forged cookies (uid=admin) and malicious payloads.
The CVSS ratings have not yet been published but, based on the nature of the flaws, their severity is critical. Worst-case scenario includes full device compromise, persistent access, traffic interception, and lateral movement into internal networks.
The D-Link advisory does not reference any firmware patch or mitigation beyond acknowledging the vulnerabilities. All affected devices are EOL/EOS, therefore no security updates are planned.
Separately, on November 14, 2025, another vulnerability was disclosed affecting the D-Link DIR-816L router running firmware version 2_06_b09_beta. The flaw, tracked as CVE-2025-13188, is a stack-based buffer overflow that could lead to remote code execution.
A public PoC is available for this vulnerability as well, and the device is no longer supported by D-Link. The CVSS v3 score of 9.8 and a v4 score of 8.9 were assigned, indicating critical severity.
These vulnerabilities are trivially exploitable and pose a high risk to small business environments and remote workers. Disabling remote management features and segmenting networks to isolate legacy routers from sensitive infrastructure are recommended. Where feasible, replacing unsupported hardware with actively maintained alternatives is advised.
The availability of working PoC code significantly increases the risk of opportunistic attacks, especially in unmanaged or internet-exposed environments. Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.