A critical buffer overflow vulnerability, identified as CVE-2025-60554, has been discovered in multiple products, including the D-Link DIR-600L router. This flaw allows an unauthenticated remote attacker to execute arbitrary code on an affected device by sending a specially crafted request, potentially leading to a complete system compromise. Given the critical severity rating (CVSS 9.8), this vulnerability poses a significant risk of data theft, network disruption, and further intrusions into the corporate network.

This vulnerability is a classic stack-based buffer overflow. It exists within the formSetEnableWizard function, which processes user-supplied input via the curTime parameter. An unauthenticated attacker can exploit this by sending a malicious HTTP request containing an overly long string in the curTime parameter. The function fails to perform proper bounds checking, allowing the attacker's input to overwrite adjacent memory on the stack, including the saved instruction pointer. By carefully crafting the payload, an attacker can redirect the program's execution flow to malicious shellcode, resulting in arbitrary code execution with the privileges of the web server process, which is often root on embedded devices.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for damage. Successful exploitation allows an attacker to gain complete control over the affected network device. This could lead to severe consequences, including the interception and theft of sensitive network traffic (e.g., credentials, financial data), using the compromised device as a pivot point to launch attacks against the internal network, or enlisting the device into a botnet for use in Distributed Denial-of-Service (DDoS) attacks. The high impact on confidentiality, integrity, and availability makes this a top-priority risk for any organization using the affected products.

Immediate Action: Organizations must immediately identify all affected devices and apply the latest firmware or software updates provided by the vendor. Due to the critical nature of this vulnerability, patching should be treated as an emergency change. After patching, monitor systems for any signs of compromise that may have occurred prior to remediation.

Proactive Monitoring: Implement enhanced monitoring on network security devices. Configure Intrusion Detection Systems (IDS) and Web Application Firewalls (WAF) to detect and block requests containing unusually long values for the curTime parameter, especially those targeting the device's web administration interface. Monitor firewall and device logs for anomalous outbound connections from affected devices, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict access to the device's management interface to a secure, isolated management network.
• Disable remote (WAN) administration on all affected devices.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to block oversized requests to the vulnerable parameter (virtual patching).

Public Exploit Available: false

This vulnerability represents a critical risk to the organization. The CVSS score of 9.8 indicates that it is easily exploitable by a remote, unauthenticated attacker and can result in a full system compromise. Although this CVE is not currently listed on the CISA KEV list, its severity makes it a prime candidate for future inclusion. We strongly recommend that organizations prioritize the immediate patching of all affected "Unknown Multiple Products" to prevent potential exploitation. If patching is delayed, compensating controls must be implemented without exception.