CVE-2025-60344

CVE-2025-60344 is a path traversal vulnerability affecting D-Link DSR series routers, specifically the models DSR-150, DSR-150N, and DSR-250N running firmware version 1.09B32_WW. The flaw stems from insufficient validation or sanitization of user-supplied input parameters used for file or directory path resolution, enabling attackers to employ sequences like "../" to access files outside the intended directory. This could expose sensitive system or configuration files, as classified under CWE-24 (Path Traversal) and CWE-200 (Exposure of Sensitive Information). The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility and confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By manipulating input parameters in relevant endpoints, attackers can traverse directories and read arbitrary files, potentially retrieving configuration data, credentials, or system information that could facilitate further compromise of the router or connected networks. The changed scope (S:C) reflects the potential for broader impact beyond the vulnerable component.

Details on the vulnerability, including proof-of-concept exploits, are available in GitHub repositories published by researcher fyoozr at https://github.com/fyoozr/D-Link-DSR-N250-LFI-Vulnerability/ and https://github.com/fyoozr/vulnerability-research/tree/main/CVE-2025-60344. No official advisories or patches from D-Link are referenced in the available information.