Cyber Posture

CVE-2025-10123

HighPublic PoC

Published: 09 September 2025

Published
09 September 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0036 58.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10123 is a high-severity Injection (CWE-74) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
attack.mitre.org →
Why these techniques?

Unauthenticated remote command injection in the router's web interface (/goform/set_static_leases) enables exploitation of a public-facing application (T1190) and indirect command execution via hostname parameter manipulation (T1202).

NVD Description

A vulnerability was determined in D-Link DIR-823X up to 250416. Affected by this vulnerability is the function sub_415028 of the file /goform/set_static_leases. Executing manipulation of the argument Hostname can lead to command injection. The attack can be launched remotely. The…

more

exploit has been publicly disclosed and may be utilized.

Deeper analysisAI

CVE-2025-10123 is a command injection vulnerability in D-Link DIR-823X routers with firmware versions up to 250416. The flaw affects the function sub_415028 in the file /goform/set_static_leases, where manipulation of the Hostname argument triggers the injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

The vulnerability enables remote exploitation by unauthenticated attackers requiring low complexity and no user interaction. Attackers can achieve unauthorized command execution on the affected device, potentially leading to low-level impacts on confidentiality, integrity, and availability.

References point to GitHub repositories providing details on the unauthorized command execution vulnerability and a proof-of-concept exploit, along with VulDB entries documenting the issue. The exploit has been publicly disclosed and may be utilized.

Details

CWE(s)
CWE-74CWE-77

Affected Products

dlink
dir-823x firmware
≤ 250416

CVEs Like This One

CVE-2025-10401Same product: Dlink Dir-823X
CVE-2025-10634Same product: Dlink Dir-823X
CVE-2026-1125Same product: Dlink Dir-823X
CVE-2025-55848Same product: Dlink Dir-823X
CVE-2025-29635Same product: Dlink Dir-823X
CVE-2026-2175Same product: Dlink Dir-823X
CVE-2026-2210Same product: Dlink Dir-823X
CVE-2026-2081Same product: Dlink Dir-823X
CVE-2026-2157Same product: Dlink Dir-823X
CVE-2026-2143Same product: Dlink Dir-823X

References