CVE-2025-2717
Published: 25 March 2025
Summary
CVE-2025-2717 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 34.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation of the target_addr argument in the /goform/diag_nslookup HTTP POST handler.
Mandates identification, reporting, and correction of the specific flaw in sub_41710C of the D-Link DIR-823X firmware versions 240126/240802.
Restricts non-essential diagnostic functions like diag_nslookup on the router to minimize attack surface for command injection exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in network device diagnostic endpoint (diag_nslookup) directly enables arbitrary OS command execution on the router.
NVD Description
A vulnerability, which was classified as critical, has been found in D-Link DIR-823X 240126/240802. This issue affects the function sub_41710C of the file /goform/diag_nslookup of the component HTTP POST Request Handler. The manipulation of the argument target_addr leads to os…
more
command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Deeper analysisAI
CVE-2025-2717 is a critical vulnerability in D-Link DIR-823X routers running firmware versions 240126 or 240802. It resides in the sub_41710C function within the /goform/diag_nslookup endpoint of the HTTP POST Request Handler component. The flaw allows OS command injection through manipulation of the target_addr argument, as identified under CWE-77 and CWE-78. The vulnerability was published on 2025-03-25 and carries a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
Attackers can exploit this vulnerability remotely over the network with low complexity but require high privileges (PR:H), such as administrative access to the device. Successful exploitation enables limited impacts, including low-level confidentiality, integrity, and availability violations through injected OS commands.
Advisories from VulDB document the issue (CTI ID 300737) and reference a public exploit disclosure, while a GitHub repository provides detailed analysis and proof-of-concept for the diag_nslookup endpoint. The D-Link website is listed as a reference, though no specific patch details are outlined in the available sources.
The exploit has been publicly disclosed and may be used, increasing the risk for unpatched D-Link DIR-823X devices.
Details
- CWE(s)