D-Link DIR-878 End-of-Life Routers Hit by Critical 2024 RCE Flaws
Executive Summary
In June 2024, D-Link issued an urgent advisory regarding three critical remote command execution (RCE) vulnerabilities affecting all models and hardware revisions of its end-of-life DIR-878 wireless routers. These flaws, discovered by cybersecurity researchers, allow unauthenticated remote attackers to execute arbitrary commands on the device, effectively gaining full control. Although D-Link had ended firmware support in 2021, the routers remain in widespread use, especially in emerging markets, increasing the exposure of organizations and individuals who have not decommissioned the devices. The attackers can exploit these weaknesses for lateral movement, network reconnaissance, or as a foothold into larger networks.
This incident underscores the dangers posed by unsupported legacy hardware and the importance of proactive lifecycle management. Given the vulnerabilities enable full device compromise with no user interaction, similar RCE attacks targeting end-of-life networking equipment are likely to rise as threat actors pivot toward unpatched infrastructure.
Why This Matters Now
Obsolete but widely deployed routers represent a hidden attack surface that many organizations overlook. With no available security patches, the only mitigation is device replacement, making urgent inventory assessment and remediation critical to prevent exploitation and potential regulatory non-compliance.
Attack Path Analysis
Attackers exploited remote command execution vulnerabilities in end-of-life D-Link DIR-878 routers to gain initial access. Upon compromise, adversaries leveraged device-level control to escalate privileges on the network. They spread laterally to internal systems by abusing open routing and weak internal segmentation. The attackers established persistent external communication through backdoors or remote shells. Sensitive data was exfiltrated via unfiltered egress channels. Finally, attackers left lasting impact, such as service disruption or enabling further compromise, affecting organizational operations.
Kill Chain Progression
Initial Compromise
Description
Attackers remotely exploited documented RCE flaws in the publicly exposed DIR-878 router to gain execution capability.
Related CVEs
CVE-2025-60672
CVSS 6.5Remote unauthenticated command execution via SetDynamicDNSSettings parameters stored in NVRAM and used in system commands.
Affected Products:
D-Link DIR-878 – All hardware revisions
Exploit Status:
proof of conceptCVE-2025-60673
CVSS 6.5Remote unauthenticated command execution via SetDMZSettings and unsanitized IPAddress value injected into iptables commands.
Affected Products:
D-Link DIR-878 – All hardware revisions
Exploit Status:
proof of conceptCVE-2025-60674
CVSS 6.5Stack overflow in USB storage handling due to oversized 'Serial Number' field, exploitable via physical or USB-device-level attack.
Affected Products:
D-Link DIR-878 – All hardware revisions
Exploit Status:
proof of conceptCVE-2025-60676
CVSS 6.5Arbitrary command execution via unsanitized fields in /tmp/new_qos.rule, processed by binaries using system().
Affected Products:
D-Link DIR-878 – All hardware revisions
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Command and Scripting Interpreter
Valid Accounts
Exploitation for Privilege Escalation
Impair Defenses
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9, Section 2
CISA Zero Trust Maturity Model 2.0 – Device Inventory and Lifecycle
Control ID: Devices – Asset Management
NIS2 Directive – Supply Chain Security and ICT Asset Management
Control ID: Article 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer/Network Security
D-Link DIR-878 router RCE vulnerabilities expose network security infrastructure to remote exploitation, compromising perimeter defenses and requiring immediate replacement of end-of-life devices.
Financial Services
Hardware vulnerabilities in end-of-life routers threaten encrypted traffic and segmentation controls, potentially violating PCI compliance and enabling lateral movement attacks against financial networks.
Health Care / Life Sciences
Router command execution flaws compromise HIPAA-required network security controls, threatening patient data protection and enabling unauthorized access to healthcare systems and medical devices.
Information Technology/IT
End-of-service router vulnerabilities undermine zero trust segmentation and multicloud visibility capabilities, exposing IT infrastructure to remote exploitation and data exfiltration risks.
Sources
- D-Link warns of new RCE flaws in end-of-life DIR-878 routershttps://www.bleepingcomputer.com/news/security/d-link-warns-of-new-rce-flaws-in-end-of-life-dir-878-routers/Verified
- DIR-878 Firmware Hotfix Release Noteshttps://legacyfiles.us.dlink.com/DIR-878/REVA/Firmware/DIR-878_REVA_RELEASE_NOTES_v1.30B08_HOTFIX.pdfVerified
- DIR-878: Rev Ax Command Injection vulnerability via the component /bin/proc.cgihttps://www.dlink.com/rs/sr/support/support-news/2022/october/27/dir_878-rev-ax-command-injection-vulnerabilityVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, network traffic visibility, egress policy enforcement, and distributed inline signature inspection would have limited exploitation, contained compromise, and reduced avenues for lateral movement and data exfiltration across hybrid networks.
Control: Cloud Firewall (ACF)
Mitigation: Blocked malicious inbound traffic attempting to exploit router vulnerabilities.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of anomalous privileged actions on network devices.
Control: Zero Trust Segmentation
Mitigation: Prevented unauthorized east-west movement from the gateway device.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked known C2 and exploit signatures in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented unauthorized outbound data transfer and unapproved destinations.
Enabled fast identification and remediation of compromised assets.
Impact at a Glance
Affected Business Functions
- Network Security
- Data Integrity
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive data due to unauthorized access and control over network traffic.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately assess and remove or isolate unsupported/end-of-life network devices from production and cloud environments.
- • Enforce Zero Trust segmentation between network, cloud workloads, and management interfaces to contain lateral movement.
- • Implement centralized visibility and anomaly detection for both perimeter and east-west device traffic.
- • Apply egress filtering to restrict outbound data flows and monitor for exfiltration attempts from all devices.
- • Regularly update and enforce cloud firewall and inline IPS policies to detect and block new exploits targeting infrastructure assets.
