Cyber Resilience

CVE-2025-2359

MediumPublic PoC

Published: 17 March 2025

Published
17 March 2025
Modified
15 July 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0858 92.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2359 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dlink Dir-823G Firmware. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

A critical vulnerability exists in the D-Link DIR-823G router running firmware 1.0.2B05_20181207. It resides in the SetDDNSSettings function of the DDNS Service component exposed at /HNAP1/, where improper handling of the SOAPAction argument permits authorization bypass. The issue is tracked under CWE-266 and CWE-285, carries a CVSS 4.0 score of 6.9, and affects only devices that are no longer supported by the vendor.

Remote, unauthenticated attackers can invoke the affected endpoint over the network to perform unauthorized actions against the DDNS configuration, resulting in limited but direct impacts to confidentiality, integrity, and availability. Public exploit code has been released, enabling straightforward reproduction of the attack.

The device is explicitly noted as end-of-support, so no official patches or firmware updates are available from D-Link. Public references, including a detailed disclosure on Notion and entries on Vuldb, document the flaw but provide no mitigation guidance beyond the unsupported status.

EPSS remains flat at 0.0858 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in D-Link DIR-823G 1.0.2B05_20181207. Affected is the function SetDDNSSettings of the file /HNAP1/ of the component DDNS Service. The manipulation of the argument SOAPAction leads to improper authorization. It is possible to…

more

launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authorization bypass in a public-facing router management endpoint (/HNAP1/ DDNS service), enabling remote unauthenticated exploitation of an Internet-facing device, which directly maps to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-2360Same product: Dlink Dir-823G
CVE-2026-4193Same product: Dlink Dir-823G
CVE-2025-2548Same vendor: Dlink
CVE-2026-4194Same vendor: Dlink
CVE-2026-4180Same vendor: Dlink
CVE-2025-25742Same vendor: Dlink
CVE-2025-70239Same vendor: Dlink
CVE-2025-13304Same vendor: Dlink
CVE-2025-70231Same vendor: Dlink
CVE-2026-2857Same vendor: Dlink

Affected Assets

dlink
dir-823g firmware
1.0.2b05_20181207

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations, preventing unauthorized manipulation of the SetDDNSSettings function via SOAPAction bypass.

prevent

Prohibits use of unsupported EOL components like the D-Link DIR-823G, eliminating exposure to this unpatched vulnerability.

prevent

Restricts least functionality by disabling unnecessary DDNS services, blocking access to the vulnerable /HNAP1/ endpoint.

References