CVE-2025-2359
Published: 17 March 2025
Summary
CVE-2025-2359 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dlink Dir-823G Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved authorizations, preventing unauthorized manipulation of the SetDDNSSettings function via SOAPAction bypass.
Prohibits use of unsupported EOL components like the D-Link DIR-823G, eliminating exposure to this unpatched vulnerability.
Restricts least functionality by disabling unnecessary DDNS services, blocking access to the vulnerable /HNAP1/ endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authorization bypass in a public-facing router management endpoint (/HNAP1/ DDNS service), enabling remote unauthenticated exploitation of an Internet-facing device, which directly maps to T1190 Exploit Public-Facing Application.
NVD Description
A vulnerability classified as critical has been found in D-Link DIR-823G 1.0.2B05_20181207. Affected is the function SetDDNSSettings of the file /HNAP1/ of the component DDNS Service. The manipulation of the argument SOAPAction leads to improper authorization. It is possible to…
more
launch the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-2359 is a critical improper authorization vulnerability in the D-Link DIR-823G router running firmware version 1.0.2B05_20181207. The issue resides in the SetDDNSSettings function within the /HNAP1/ endpoint of the DDNS Service component, where manipulation of the SOAPAction argument bypasses required authorization checks. Associated with CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), it carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-03-17.
The vulnerability enables remote exploitation without authentication or user interaction, allowing unauthenticated attackers to manipulate DDNS settings. Successful exploitation grants limited impact, including low-level confidentiality, integrity, and availability disruptions, such as unauthorized changes to DDNS configurations that could facilitate further network reconnaissance or persistence.
Advisories from sources like VulDB indicate no patches are available, as the affected D-Link DIR-823G products are no longer supported by the manufacturer. The D-Link website provides general support information but no specific remediation for this firmware version.
An exploit for CVE-2025-2359 has been publicly disclosed, increasing the risk for exposed, end-of-life devices still in use.
Details
- CWE(s)