CVE-2025-29635

Analyzed
Published: 25 Mar 2025, 00:00
Last modified:25 Apr 2026, 03:55

Vulnerability Summary

Overall Risk (default)
medium
39/100
CVSS Score
7.2 HIGH
v3.1 (cve.org)
EPSS Score
1.25% LOW
1% probability -0.39%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

25 Mar 2025, 00:00
Published
Vulnerability first disclosed
24 Apr 2026, 00:00
Added to CISA KEV
D-Link DIR-823X Command Injection Vulnerability
25 Apr 2026, 03:55
Last Modified
Vulnerability information updated
08 May 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.

CVSS Metrics

  • v3.1HIGHScore: 7.2CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 1.25% Percentile: 79%

Techniques & Countermeasures

  • CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')

    The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

  • dlinkdir-823x_firmware

    240126 | 240802

References (3)