CVE-2025-10401
Published: 14 September 2025
Summary
CVE-2025-10401 is a low-severity Injection (CWE-74) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-10401 is a command injection vulnerability in D-Link DIR-823x routers running firmware versions up to 250416. The flaw affects an unknown function in the /goform/diag_ping file, where attackers can manipulate the target_addr argument to inject commands. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction. Exploitation enables command injection, resulting in low impacts to confidentiality, integrity, and availability.
Advisories from VulDB detail the vulnerability and submission process, while a GitHub repository provides a public exploit for D-Link DIR-823X AX3000. The D-Link website offers general support resources, though specific patch details are not outlined in available references.
The exploit is publicly available and may be used, increasing the risk of real-world attacks on unpatched devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-29124
Vulnerability details
A vulnerability was detected in D-Link DIR-823x up to 250416. The affected element is an unknown function of the file /goform/diag_ping. Performing manipulation of the argument target_addr results in command injection. Remote exploitation of the attack is possible. The exploit…
more
is now public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web interface (/goform/diag_ping) of public-facing router enables exploitation of public-facing application (T1190), indirect command execution (T1202), and network device CLI command execution (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the target_addr argument in /goform/diag_ping to block command injection payloads before execution.
Mandates timely application of vendor patches or firmware updates that eliminate the command-injection flaw in the diag_ping handler.
Requires disabling or removing the diag_ping diagnostic function entirely when it is not essential, eliminating the attack surface.