CVE-2025-55848
Published: 26 September 2025
Summary
CVE-2025-55848 is a high-severity Command Injection (CWE-77) vulnerability in Dlink Dir-823X Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the command injection vulnerability by requiring validation and sanitization of untrusted inputs like the http_casswd parameter to block special characters such as '&'.
Mitigates the RCE flaw through timely firmware patching to remediate the improper filtering in the set_cassword interface.
Limits exploitation from adjacent networks by monitoring and controlling access to the vulnerable router management interface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The RCE vulnerability via unsanitized HTTP parameter in the router's web interface enables exploitation of a public-facing application (T1190) and command execution on a network device CLI (T1059.008).
NVD Description
An issue was discovered in DIR-823 firmware 20250416. There is an RCE vulnerability in the set_cassword settings interface, as the http_casswd parameter is not filtered by '&'to allow injection of reverse connection commands.
Deeper analysisAI
CVE-2025-55848 is a remote code execution (RCE) vulnerability discovered in the firmware version 20250416 of the D-Link DIR-823 router. The issue resides in the set_cassword settings interface, where the http_casswd parameter fails to properly filter the '&' character. This flaw enables attackers to inject arbitrary commands, such as reverse connection commands, leading to command injection as documented under CWE-77. The vulnerability carries a CVSS v3.1 base score of 8.8, reflecting its high severity.
Attackers on an adjacent network (AV:A) can exploit this vulnerability with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), allowing full RCE on the affected device within the local network segment, such as via a malicious HTTP request to the vulnerable endpoint.
For mitigation details, security practitioners should refer to the D-Link security bulletin at https://www.dlink.com/en/security-bulletin/ and the technical analysis including proof-of-concept at https://github.com/meigui637/iot_zone/blob/main/%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E.md. Updating to a patched firmware version, if available, is recommended alongside network segmentation to limit adjacent access.
Details
- CWE(s)