CVE-2025-2360
Published: 17 March 2025
Summary
CVE-2025-2360 is a high-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Dlink Dir-823G Firmware. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly countering the improper authorization bypass in the SetUpnpSettings function via SOAPAction manipulation.
Monitors and controls communications at external boundaries, blocking remote unauthorized access to the vulnerable /HNAP1/ UPnP endpoint.
Requires identification, reporting, and correction of system flaws like this critical CVE, using compensatory controls such as disabling the service since no vendor patches exist for the end-of-support product.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an auth bypass in the public-facing /HNAP1/ UPnP endpoint on an internet-facing router, directly enabling remote exploitation of a public-facing application without credentials.
NVD Description
A vulnerability classified as critical was found in D-Link DIR-823G 1.0.2B05_20181207. Affected by this vulnerability is the function SetUpnpSettings of the file /HNAP1/ of the component UPnP Service. The manipulation of the argument SOAPAction leads to improper authorization. The attack…
more
can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2025-2360 is a critical improper authorization vulnerability (CWE-266, CWE-285) in the D-Link DIR-823G router running firmware version 1.0.2B05_20181207. The issue resides in the SetUpnpSettings function exposed via the /HNAP1/ endpoint of the UPnP Service, where manipulation of the SOAPAction argument bypasses authorization checks. This flaw carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and exclusively impacts products that are no longer supported by the vendor.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants improper authorization, potentially allowing limited disruption to confidentiality, integrity, and availability, such as unauthorized modifications to UPnP settings or service alterations.
Advisories from VulDB and related disclosures, including a public exploit proof-of-concept on a Notion site, confirm no patches are available, as the affected D-Link DIR-823G models are end-of-support. Security practitioners should isolate or decommission these devices, apply network segmentation to block /HNAP1/ access, and monitor for anomalous UPnP traffic.
The exploit has been publicly disclosed and may be actively used against exposed instances, underscoring risks for legacy Internet-facing routers.
Details
- CWE(s)