External risk intelligence

D-Link DIR-823X Command Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2025-29635

A command injection vulnerability exists in D-Link DIR-823X routers, allowing authorized attackers to execute arbitrary commands remotely. This impacts organizations using these devices, potentially leading to unauthorized access and control of network infrastructure. The risk involves compromise of the router and any

4Halo Surface Signal

Command Injection

Dlink Dir 823x Firmware

240126240802

External exposure likelihood

Halo Surface Signal score for CVE-2025-29635

The affected product is a D-Link wireless router. Such consumer networking equipment is commonly deployed at the network edge, and administrative interfaces for these devices are frequently exposed to the public internet or managed via web-based management portals.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects certain D-Link DIR-823X devices. A flaw in the device's firmware allows an authorized attacker to execute arbitrary commands on remote devices. This could lead to unauthorized access and control of affected systems.

  • Vulnerable D-Link DIR-823X firmware
  • Command injection flaw
  • Remote command execution

Attack Path

How an attacker could exploit the issue

An attacker can exploit a command injection vulnerability within D-Link DIR-823X devices. This attack requires the attacker to have authenticated access to the device. By sending a specially crafted POST request to a specific administrative endpoint, the attacker can trigger the execution of arbitrary commands. This capability could allow the attacker to gain unauthorized control over the affected device, potentially leading to further compromise of the network or data.

  • Exposure condition: Authorized access to the device.
  • Attacker starting point: Network access to the device.
  • Trigger and result: POST request to `/goform/set_prohibiting` executes arbitrary commands.

Live Threat

Current exploitation, exposure, and threat context

A command injection vulnerability exists in D-Link DIR-823X devices, allowing unauthorized command execution. This could enable attackers to compromise affected devices and potentially use them for malicious purposes. Given the exposure of these devices, organizations should assess their risk and take appropriate action.

  • Likely attacker skill level: Moderate.
  • Required access or conditions: Authorized access.
  • Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization faces a command injection vulnerability in D-Link DIR-823X devices, specifically affecting firmware versions 240126 and 240802. This issue allows an authorized attacker to execute arbitrary commands by sending a POST request to a specific function. The United States Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, indicating active exploitation and requiring prioritized attention.

  • Identify all D-Link DIR-823X devices.
  • Isolate affected devices from the network.
  • Apply vendor fixes and monitor system activity.

Frequently asked questions

What is the D-Link DIR-823X firmware?

The D-Link DIR-823X firmware is the software that runs on certain D-Link DIR-823X wireless router models. This firmware manages the device's network functions and settings, allowing users to connect to the internet and configure their home or office networks.

What is the weakness in D-Link DIR-823X firmware (CVE-2025-29635)?

The weakness is a command injection vulnerability, classified as CWE-77. This means an attacker can trick the firmware into executing unintended system commands, potentially leading to unauthorized control of the device.

How can the D-Link DIR-823X vulnerability be triggered?

An attacker with authorized access to the device can trigger this vulnerability by sending a specific POST request to the /goform/set_prohibiting endpoint. This request, when processed by the device's firmware, leads to the execution of arbitrary commands.

Who should care about this D-Link DIR-823X vulnerability?

Anyone using D-Link DIR-823X devices should care. These devices are often at the network edge, meaning they are connected to the internet. This exposure increases the risk that an attacker could target them, making it crucial to address this vulnerability.

What is the first step for running this technology with CVE-2025-29635?

The initial step is to identify all D-Link DIR-823X devices within your network. Once identified, consider isolating them from the network to prevent potential exploitation while you investigate further remediation steps recommended by the vendor.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified