Cyber Resilience

CVE-2025-2717

Medium

Published: 25 March 2025

Published
25 March 2025
Modified
21 May 2025
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 66.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-2717 is a medium-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Device CLI (T1059.008); ranked in the top 34.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

A critical OS command injection vulnerability affects the D-Link DIR-823X router firmware versions 240126 and 240802. It resides in the sub_41710C function of the /goform/diag_nslookup component within the HTTP POST Request Handler, where unsanitized input to the target_addr argument enables arbitrary command execution. The flaw is tracked under CWE-77 and CWE-78 and carries a CVSS 4.0 score of 5.1.

An authenticated remote attacker with administrative privileges can send a crafted HTTP POST request to inject and execute operating system commands on the device. Public exploit code has been released, allowing an adversary to achieve limited control over the router's operating environment without user interaction.

The EPSS score has risen from a low baseline to a recorded peak of 0.0144, indicating increased exploitation interest after public disclosure. References include a detailed proof-of-concept on GitHub along with VulDB entries, though no vendor patch or mitigation guidance is specified in the available sources.

EU & UK References

Vulnerability details

A vulnerability, which was classified as critical, has been found in D-Link DIR-823X 240126/240802. This issue affects the function sub_41710C of the file /goform/diag_nslookup of the component HTTP POST Request Handler. The manipulation of the argument target_addr leads to os…

more

command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

OS command injection in network device diagnostic endpoint (diag_nslookup) directly enables arbitrary OS command execution on the router.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2082Same product: Dlink Dir-823X
CVE-2026-2210Same product: Dlink Dir-823X
CVE-2026-1544Same product: Dlink Dir-823X
CVE-2026-2157Same product: Dlink Dir-823X
CVE-2026-2129Same product: Dlink Dir-823X
CVE-2026-2143Same product: Dlink Dir-823X
CVE-2026-2084Same product: Dlink Dir-823X
CVE-2026-2063Same product: Dlink Dir-823X
CVE-2026-2175Same product: Dlink Dir-823X
CVE-2026-2155Same product: Dlink Dir-823X

Affected Assets

dlink
dir-823x firmware
240126, 240802

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of the target_addr argument in the /goform/diag_nslookup HTTP POST handler.

prevent

Mandates identification, reporting, and correction of the specific flaw in sub_41710C of the D-Link DIR-823X firmware versions 240126/240802.

prevent

Restricts non-essential diagnostic functions like diag_nslookup on the router to minimize attack surface for command injection exploits.

References