CVE-2025-10123
Published: 09 September 2025
Summary
CVE-2025-10123 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-10123 is a command injection vulnerability in D-Link DIR-823X routers with firmware versions up to 250416. The flaw affects the function sub_415028 in the file /goform/set_static_leases, where manipulation of the Hostname argument triggers the injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
The vulnerability enables remote exploitation by unauthenticated attackers requiring low complexity and no user interaction. Attackers can achieve unauthorized command execution on the affected device, potentially leading to low-level impacts on confidentiality, integrity, and availability.
References point to GitHub repositories providing details on the unauthorized command execution vulnerability and a proof-of-concept exploit, along with VulDB entries documenting the issue. The exploit has been publicly disclosed and may be utilized.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27219
Vulnerability details
A vulnerability was determined in D-Link DIR-823X up to 250416. Affected by this vulnerability is the function sub_415028 of the file /goform/set_static_leases. Executing manipulation of the argument Hostname can lead to command injection. The attack can be launched remotely. The…
more
exploit has been publicly disclosed and may be utilized.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection in the router's web interface (/goform/set_static_leases) enables exploitation of a public-facing application (T1190) and indirect command execution via hostname parameter manipulation (T1202).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the Hostname argument before it reaches sub_415028, blocking the command injection at the point of input.
Enforces authorization checks on /goform/set_static_leases so that unauthenticated remote callers cannot invoke the vulnerable function at all.
Limits the privileges of the web-server process so that even a successful injection yields only minimal command execution impact on the router.