D-Link has warned that three remotely exploitable command-execution flaws affect all models and hardware revisions of its DIR-878 router, a device the company declared end-of-life in 2021 but that remains available in some markets. The DIR-878 was marketed as a high-performance dual-band wireless router when it launched in 2017.
Technical details and proof-of-concept exploit code were published by a researcher using the name Yangyifan on GitHub. The disclosures include examples of unsanitized inputs and parameters stored in non-volatile RAM being used in system commands.
D-Link’s security advisory lists four vulnerabilities, including CVE-2025-60672, CVE-2025-60673, CVE-2025-60674 and CVE-2025-60676; the first two and the fourth can be triggered remotely via unsanitized inputs used in system commands, while CVE-2025-60674 involves a stack overflow in USB storage handling that requires physical access or control of a USB device. The advisory is posted here.
D-Link said it will not release security updates for the DIR-878 because the model is end-of-service and recommended replacing it with an actively supported product. The router can still be bought new or used, with prices reported between $75 and $122, and the U.S. Cybersecurity and Infrastructure Security Agency has assessed the flaws as medium severity.
Proof-of-concept code being publicly available typically attracts threat actors’ attention, including botnet operators that add known exploits to their toolkits; recent botnets have used dozens of known flaws and have been used to launch large distributed denial-of-service attacks.