Cyber Resilience

CVE-2025-10123

MediumPublic PoC

Published: 09 September 2025

Published
09 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0068 72.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10123 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-10123 is a command injection vulnerability in D-Link DIR-823X routers with firmware versions up to 250416. The flaw affects the function sub_415028 in the file /goform/set_static_leases, where manipulation of the Hostname argument triggers the injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation by unauthenticated attackers requiring low complexity and no user interaction. Attackers can achieve unauthorized command execution on the affected device, potentially leading to low-level impacts on confidentiality, integrity, and availability.

References point to GitHub repositories providing details on the unauthorized command execution vulnerability and a proof-of-concept exploit, along with VulDB entries documenting the issue. The exploit has been publicly disclosed and may be utilized.

EU & UK References

Vulnerability details

A vulnerability was determined in D-Link DIR-823X up to 250416. Affected by this vulnerability is the function sub_415028 of the file /goform/set_static_leases. Executing manipulation of the argument Hostname can lead to command injection. The attack can be launched remotely. The…

more

exploit has been publicly disclosed and may be utilized.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Unauthenticated remote command injection in the router's web interface (/goform/set_static_leases) enables exploitation of a public-facing application (T1190) and indirect command execution via hostname parameter manipulation (T1202).

CVEs Like This One

CVE-2025-10401Same product: Dlink Dir-823X
CVE-2026-1125Same product: Dlink Dir-823X
CVE-2025-10634Same product: Dlink Dir-823X
CVE-2025-55848Same product: Dlink Dir-823X
CVE-2025-29635Same product: Dlink Dir-823X
CVE-2026-2210Same product: Dlink Dir-823X
CVE-2026-2082Same product: Dlink Dir-823X
CVE-2026-1544Same product: Dlink Dir-823X
CVE-2026-2157Same product: Dlink Dir-823X
CVE-2026-2129Same product: Dlink Dir-823X

Affected Assets

dlink
dir-823x firmware
≤ 250416

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the Hostname argument before it reaches sub_415028, blocking the command injection at the point of input.

prevent

Enforces authorization checks on /goform/set_static_leases so that unauthenticated remote callers cannot invoke the vulnerable function at all.

prevent

Limits the privileges of the web-server process so that even a successful injection yields only minimal command execution impact on the router.

References