CVE-2025-60679
Published: 13 November 2025
Summary
CVE-2025-60679 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Dlink Dir-816 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by identifying, reporting, and correcting the stack buffer overflow flaw in the router firmware through timely patching.
Implements memory safeguards like stack canaries, ASLR, and DEP to prevent arbitrary code execution from the stack buffer overflow.
Requires validation of /proc/version input length before concatenation to avoid exceeding the 512-byte buffer limit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The stack buffer overflow in the upload.cgi web module of the D-Link router firmware enables remote arbitrary code execution when oversized /proc/version content is processed, facilitating exploitation of public-facing applications and remote services.
NVD Description
A stack buffer overflow vulnerability exists in the D-Link DIR-816A2 router firmware DIR-816A2_FWv1.10CNB05_R1B011D88210.img in the upload.cgi module, which handles firmware version information. The vulnerability occurs because /proc/version is read into a 512-byte buffer and then concatenated using sprintf() into another…
more
512-byte buffer containing a 29-byte constant. Input exceeding 481 bytes triggers a stack buffer overflow, allowing an attacker who can control /proc/version content to potentially execute arbitrary code on the device.
Deeper analysisAI
CVE-2025-60679 is a stack buffer overflow vulnerability (CWE-121) in the D-Link DIR-816A2 router firmware version DIR-816A2_FWv1.10CNB05_R1B011D88210.img, specifically within the upload.cgi module responsible for handling firmware version information. The flaw occurs when the contents of /proc/version are read into a 512-byte buffer and then concatenated via sprintf() into a second 512-byte buffer that already holds a 29-byte constant string. Inputs from /proc/version exceeding 481 bytes overrun the second buffer, leading to the overflow.
The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility with low complexity and requiring only low privileges. An attacker able to control the content of /proc/version can trigger the overflow to potentially execute arbitrary code on the device, compromising confidentiality, integrity, and availability with high impact.
References include D-Link vendor sites such as http://d-link.com, https://www.dlink.com/en, and https://www.dlink.com/en/security-bulletin/, along with a detailed analysis at https://github.com/yifan20020708/SGTaint-0-day/blob/main/DLink/DLink-DIR-816/CVE-2025-60679.md, which may provide further guidance on advisories or patches.
Details
- CWE(s)