Cyber Posture

CVE-2025-1103

MediumPublic PoC

Published: 07 February 2025

Published
07 February 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.1084 93.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1103 is a medium-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 6.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates the macList argument in HTTP POST requests to the set_wifi_blacklists function, preventing malformed inputs from causing null pointer dereference.

SI-11 Error Handling partial match
prevent

Ensures null pointer errors from invalid macList manipulation are handled gracefully without resulting in device crashes or denial of service.

SI-2 Flaw Remediation good match
prevent

Provides timely remediation of the specific null pointer dereference flaw through firmware patching for affected D-Link DIR-823X routers.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Null pointer dereference in HTTP handler directly enables remote DoS via application/system exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability, which was classified as problematic, was found in D-Link DIR-823X 240126/240802. This affects the function set_wifi_blacklists of the file /goform/set_wifi_blacklists of the component HTTP POST Request Handler. The manipulation of the argument macList leads to null pointer dereference.…

more

It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

Deeper analysisAI

CVE-2025-1103 is a problematic vulnerability in D-Link DIR-823X routers running firmware versions 240126 and 240802. It resides in the set_wifi_blacklists function within the file /goform/set_wifi_blacklists of the HTTP POST Request Handler component. The flaw is triggered by manipulating the macList argument, resulting in a null pointer dereference (CWE-404, CWE-476).

A remote attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. The CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) reflects a high availability impact through device crash or denial of service, with no effects on confidentiality or integrity.

Advisories reference a detailed Notion page on the vulnerability, multiple VULDB entries including submission details, and the D-Link website. The exploit has been publicly disclosed and may be used by attackers.

Details

CWE(s)
CWE-404CWE-476

Affected Products

dlink
dir-823x firmware
240126, 240802

CVEs Like This One

CVE-2025-0492Same product: Dlink Dir-823X
CVE-2025-2717Same product: Dlink Dir-823X
CVE-2025-10401Same product: Dlink Dir-823X
CVE-2026-2175Same product: Dlink Dir-823X
CVE-2026-2210Same product: Dlink Dir-823X
CVE-2026-2081Same product: Dlink Dir-823X
CVE-2025-55848Same product: Dlink Dir-823X
CVE-2026-2120Same product: Dlink Dir-823X
CVE-2026-1544Same product: Dlink Dir-823X
CVE-2026-2157Same product: Dlink Dir-823X

References