CVE-2025-29635
Published: 25 March 2025
Summary
CVE-2025-29635 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the specific command injection flaw in D-Link DIR-823X firmware versions 240126 and 240802 to eliminate the vulnerability.
Mandates validation and sanitization of inputs to the /goform/set_prohibiting POST endpoint to directly block command injection attacks.
Enables detection of firmware modifications or integrity violations resulting from exploitation, such as Mirai botnet infections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in web management endpoint (/goform/set_prohibiting) on exposed router enables exploitation of public-facing application for initial access (T1190) and arbitrary command execution via Unix shell (T1059.004).
NVD Description
A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
Deeper analysisAI
CVE-2025-29635 is a command injection vulnerability (CWE-77) affecting D-Link DIR-823X routers running firmware versions 240126 and 240802. It enables an authorized attacker to execute arbitrary commands on the targeted device by sending a specially crafted POST request to the /goform/set_prohibiting endpoint through the associated function, resulting in remote command execution. The vulnerability carries a CVSS v3.1 base score of 7.2 (High), reflecting network accessibility, low attack complexity, high required privileges, no user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.
An attacker with high privileges, such as administrative access to the device, can exploit this vulnerability over the network with low complexity and no need for user interaction. Successful exploitation grants remote command execution on the router, potentially allowing full compromise of the device, including data exfiltration, modification of configurations, or disruption of services.
Advisories reference a GitHub repository detailing the vulnerability at https://github.com/mono7s/Dir-823x/blob/main/set_prohibiting/set_prohibiting.md, an Akamai security research blog at https://www.akamai.com/blog/security-research/2026/apr/cve-2025-29635-mirai-campaign-targets-d-link-devices, and CISA's Known Exploited Vulnerabilities catalog entry at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-29635, which collectively highlight exploitation details and urge mitigation through patching or configuration hardening where available.
In notable context, the vulnerability has seen real-world exploitation, including targeting by a Mirai botnet campaign as documented by Akamai, and its inclusion in CISA's Known Exploited Vulnerabilities catalog indicates active exploitation in the wild.
Details
- CWE(s)
- KEV Date Added
- 24 April 2026