Cyber Resilience

CVE-2025-1103

HighPublic PoC

Published: 07 February 2025

Published
07 February 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0949 93.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1103 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability classified as problematic exists in the D-Link DIR-823X device running firmware versions 240126 or 240802. It resides in the set_wifi_blacklists function of the /goform/set_wifi_blacklists endpoint inside the HTTP POST Request Handler component. The flaw is triggered by improper handling of the macList argument, resulting in a null pointer dereference that maps to CWE-404 and CWE-476.

An attacker with low privileges can exploit the issue remotely by sending a crafted HTTP POST request. Successful exploitation produces a denial-of-service condition that affects device availability while leaving confidentiality and integrity untouched.

Publicly available references include a detailed disclosure on a Notion page, multiple VulDB entries, and the vendor site, yet none of the supplied sources describe available patches or specific mitigation steps. The associated EPSS score has remained low, reaching a modest peak of 0.1084 before receding to 0.0949.

EU & UK References

Vulnerability details

A vulnerability, which was classified as problematic, was found in D-Link DIR-823X 240126/240802. This affects the function set_wifi_blacklists of the file /goform/set_wifi_blacklists of the component HTTP POST Request Handler. The manipulation of the argument macList leads to null pointer dereference.…

more

It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference in HTTP handler directly enables remote DoS via application/system exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0492Same product: Dlink Dir-823X
CVE-2026-2175Same product: Dlink Dir-823X
CVE-2025-10634Same product: Dlink Dir-823X
CVE-2025-10401Same product: Dlink Dir-823X
CVE-2026-2210Same product: Dlink Dir-823X
CVE-2026-2155Same product: Dlink Dir-823X
CVE-2025-55848Same product: Dlink Dir-823X
CVE-2026-2157Same product: Dlink Dir-823X
CVE-2026-2129Same product: Dlink Dir-823X
CVE-2025-29635Same product: Dlink Dir-823X

Affected Assets

dlink
dir-823x firmware
240126, 240802

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the macList argument in HTTP POST requests to the set_wifi_blacklists function, preventing malformed inputs from causing null pointer dereference.

prevent

Ensures null pointer errors from invalid macList manipulation are handled gracefully without resulting in device crashes or denial of service.

prevent

Provides timely remediation of the specific null pointer dereference flaw through firmware patching for affected D-Link DIR-823X routers.

References