Overview
- Security researchers disclosed CVE-2025-60672, CVE-2025-60673, CVE-2025-60674 and CVE-2025-60676 that allow remote code execution and full device takeover.
- Exploitation requires only specially crafted HTTP requests with no authentication, leaving internet-exposed units vulnerable to remote compromise.
- The router has been unsupported since January 2021 and D-Link will not release patches for the model.
- No confirmed in-the-wild attacks have been reported, though the risk is considered high following public disclosure.
- The FBI advises replacing unsupported routers and recommends disabling remote management, applying available firmware updates, and using long, unique passwords.