CVE-2025-10634
Published: 18 September 2025
Summary
CVE-2025-10634 is a medium-severity Injection (CWE-74) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote command injection vulnerability in the router's GoAhead web server (public-facing application) enables T1190 (Exploit Public-Facing Application) for initial access/execution and directly facilitates T1059.004 (Unix Shell) by allowing arbitrary command execution on the Linux-based device.
NVD Description
A weakness has been identified in D-Link DIR-823X 240126/240802/250416. The impacted element is the function sub_412E7C of the file /usr/sbin/goahead of the component Environment Variable Handler. This manipulation of the argument terminal_addr/server_ip/server_port causes command injection. The attack can be initiated…
more
remotely. The exploit has been made available to the public and could be exploited.
Deeper analysisAI
CVE-2025-10634 is a command injection vulnerability in D-Link DIR-823X routers running firmware versions 240126, 240802, and 250416. The flaw affects the sub_412E7C function in the /usr/sbin/goahead file, part of the Environment Variable Handler component. It arises from improper handling of the terminal_addr, server_ip, or server_port arguments, enabling injected commands. Published on 2025-09-18T02:15:40.273, the vulnerability carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-74 and CWE-77.
The vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required. Exploitation demands low privileges (PR:L), such as those of an authenticated user. Attackers can achieve limited impacts, including low-level disclosure of information, modification of data, and denial of service through command injection.
References point to a GitHub repository with exploit details, a Baidu share likely containing the exploit, and multiple VulDB entries. No specific mitigation steps or patches are described in the available information; practitioners should review vendor guidance and the linked advisories for remediation options.
An exploit is publicly available, heightening the potential for real-world abuse against unpatched devices.
Details
- CWE(s)