CVE-2025-2359
Published: 17 March 2025
Summary
CVE-2025-2359 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dlink Dir-823G Firmware. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Deeper analysis
A critical vulnerability exists in the D-Link DIR-823G router running firmware 1.0.2B05_20181207. It resides in the SetDDNSSettings function of the DDNS Service component exposed at /HNAP1/, where improper handling of the SOAPAction argument permits authorization bypass. The issue is tracked under CWE-266 and CWE-285, carries a CVSS 4.0 score of 6.9, and affects only devices that are no longer supported by the vendor.
Remote, unauthenticated attackers can invoke the affected endpoint over the network to perform unauthorized actions against the DDNS configuration, resulting in limited but direct impacts to confidentiality, integrity, and availability. Public exploit code has been released, enabling straightforward reproduction of the attack.
The device is explicitly noted as end-of-support, so no official patches or firmware updates are available from D-Link. Public references, including a detailed disclosure on Notion and entries on Vuldb, document the flaw but provide no mitigation guidance beyond the unsupported status.
EPSS remains flat at 0.0858 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6459
Vulnerability details
A vulnerability classified as critical has been found in D-Link DIR-823G 1.0.2B05_20181207. Affected is the function SetDDNSSettings of the file /HNAP1/ of the component DDNS Service. The manipulation of the argument SOAPAction leads to improper authorization. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing router management endpoint (/HNAP1/ DDNS service), enabling remote unauthenticated exploitation of an Internet-facing device, which directly maps to T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations, preventing unauthorized manipulation of the SetDDNSSettings function via SOAPAction bypass.
Prohibits use of unsupported EOL components like the D-Link DIR-823G, eliminating exposure to this unpatched vulnerability.
Restricts least functionality by disabling unnecessary DDNS services, blocking access to the vulnerable /HNAP1/ endpoint.