CVE-2025-60679

HighPublic PoC

Published: 13 November 2025

Published

13 November 2025

Modified

17 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in the upload.cgi module, which handles firmware version information. The vulnerability occurs because /proc/version is read into a 512-byte buffer and then concatenated using sprintf() into another…

512-byte buffer containing a 29-byte constant. Input exceeding 481 bytes triggers a stack buffer overflow, allowing an attacker who can control /proc/version content to potentially execute arbitrary code on the device.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by identifying, reporting, and correcting the stack buffer overflow flaw in the router firmware through timely patching.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like stack canaries, ASLR, and DEP to prevent arbitrary code execution from the stack buffer overflow.

SI-10 Information Input Validation partial match

prevent

Requires validation of /proc/version input length before concatenation to avoid exceeding the 512-byte buffer limit.

Security SummaryAI

CVE-2025-60679 is a stack buffer overflow vulnerability (CWE-121) in the D-Link DIR-816A2 router firmware version DIR-816A2_FWv1.10CNB05_R1B011D88210.img, specifically within the upload.cgi module responsible for handling firmware version information. The flaw occurs when the contents of /proc/version are read into a 512-byte buffer and then concatenated via sprintf() into a second 512-byte buffer that already holds a 29-byte constant string. Inputs from /proc/version exceeding 481 bytes overrun the second buffer, leading to the overflow.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low complexity and requiring only low privileges. An attacker able to control the content of /proc/version can trigger the overflow to potentially execute arbitrary code on the device, compromising confidentiality, integrity, and availability with high impact.

References include D-Link vendor sites such as http://d-link.com, https://www.dlink.com/en, and https://www.dlink.com/en/security-bulletin/, along with a detailed analysis at https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-816/CVE-2025-60679.md, which may provide further guidance on advisories or patches.

Details

CWE(s): CWE-121

Affected Products

dlink

dir-816 firmware

1.10cnb05_r1b011d88210

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The stack buffer overflow in the upload.cgi web module of the D-Link router firmware enables remote arbitrary code execution when oversized /proc/version content is processed, facilitating exploitation of public-facing applications and remote services.

References

http://d-link.com
Product · cve@mitre.org
https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-816/CVE-2025-60679.md
Exploit, Third Party Advisory · cve@mitre.org
https://www.dlink.com/en
Product · cve@mitre.org
https://www.dlink.com/en/security-bulletin/
Vendor Advisory · cve@mitre.org