CVE-2025-2717
Published: 25 March 2025
Summary
CVE-2025-2717 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 34.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
A critical OS command injection vulnerability affects the D-Link DIR-823X router firmware versions 240126 and 240802. It resides in the sub_41710C function of the /goform/diag_nslookup component within the HTTP POST Request Handler, where unsanitized input to the target_addr argument enables arbitrary command execution. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.1.
An authenticated remote attacker with administrative privileges can send a crafted HTTP POST request to inject and execute operating system commands on the device. Public exploit code has been released, allowing an adversary to achieve limited control over the router's operating environment without user interaction.
The EPSS score has risen from a low baseline to a recorded peak of 0.0144, indicating increased exploitation interest after public disclosure. References include a detailed proof-of-concept on GitHub along with VulDB entries, though no vendor patch or mitigation guidance is specified in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8039
Vulnerability details
A vulnerability, which was classified as critical, has been found in D-Link DIR-823X 240126/240802. This issue affects the function sub_41710C of the file /goform/diag_nslookup of the component HTTP POST Request Handler. The manipulation of the argument target_addr leads to os…
more
command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network device diagnostic endpoint (diag_nslookup) directly enables arbitrary OS command execution on the router.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection by requiring validation of the target_addr argument in the /goform/diag_nslookup HTTP POST handler.
Mandates identification, reporting, and correction of the specific flaw in sub_41710C of the D-Link DIR-823X firmware versions 240126/240802.
Restricts non-essential diagnostic functions like diag_nslookup on the router to minimize attack surface for command injection exploits.