CVE-2025-60344

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-60344
A path traversal (directory traversal) vulnerability in D-Link DSR series routers allows unauthenticated remote attackers to manipulate input parameters used for file or directory path resolution (e.g., via sequences such as “../”). Successful exploitation may allow access to files outside of the intended directory, potentially exposing sensitive system or configuration files. The issue results from insufficient validation or sanitization of user-supplied input. Affected Products include: DSR-150, DSR-150N, and DSR-250N v1.09B32_WW.

8.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/fyoozr/D-Link-DSR-N250-LFI-Vulnerability/
https://github.com/fyoozr/vulnerability-research/tree/main/CVE-2025-60344
Configurations

No configuration.

History

27 Feb 2026, 18:16

Type Values Removed Values Added
Summary (en) An unauthenticated Local File Inclusion (LFI) vulnerability in D-Link DSR series routers allows remote attackers to retrieve sensitive configuration files in clear text. The exposed files contain administrative credentials, VPN settings, and other sensitive information, enabling full administrative access to the router. Affected Products include: DSR-150, DSR-150N, and DSR-250N v1.09B32_WW. (en) A path traversal (directory traversal) vulnerability in D-Link DSR series routers allows unauthenticated remote attackers to manipulate input parameters used for file or directory path resolution (e.g., via sequences such as “../”). Successful exploitation may allow access to files outside of the intended directory, potentially exposing sensitive system or configuration files. The issue results from insufficient validation or sanitization of user-supplied input. Affected Products include: DSR-150, DSR-150N, and DSR-250N v1.09B32_WW.

27 Feb 2026, 17:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.6 		v2 : unknown
v3 : 8.6
CWE CWE-24

21 Oct 2025, 21:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.6
CWE CWE-200

21 Oct 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-10-21 15:15

Updated : 2026-02-27 18:16

NVD link : CVE-2025-60344

Mitre link : CVE-2025-60344

CVE.ORG link : CVE-2025-60344

JSON object : View

Products Affected

No product.

CWE
CWE-24

Path Traversal: '../filedir'

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor