CVE-2025-10123
📋 TL;DR
This CVE describes a command injection vulnerability in D-Link DIR-823X routers that allows remote attackers to execute arbitrary commands by manipulating the Hostname parameter. The vulnerability affects routers with firmware up to version 250416 and can be exploited without authentication. Successful exploitation gives attackers control over affected devices.
💻 Affected Systems
- D-Link DIR-823X
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to install malware, create persistent backdoors, pivot to internal networks, or join botnets.
Likely Case
Router takeover enabling DNS hijacking, credential theft, network monitoring, or denial of service attacks.
If Mitigated
Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation.
🎯 Exploit Status
Public proof-of-concept available showing simple HTTP POST exploitation. Attack requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available at time of analysis
Restart Required: Yes
Instructions:
1. Check D-Link support site for firmware updates
2. Download latest firmware for DIR-823X
3. Access router web interface
4. Navigate to firmware update section
5. Upload and apply new firmware
6. Reboot router after update
🔧 Temporary Workarounds
Disable Remote Management
allPrevent external access to router web interface
Network Segmentation
allIsolate router management interface to trusted network
🧯 If You Can't Patch
- Replace affected routers with supported models from different vendors
- Implement strict firewall rules blocking all inbound traffic to router management interfaces
🔍 How to Verify
Check if Vulnerable:
Check firmware version in router web interface under System > Firmware. If version is 250416 or earlier, device is vulnerable.Check Version:
curl -s http://router-ip/getcfg.php | grep -i versionVerify Fix Applied:
Verify firmware version is newer than 250416 and test if Hostname parameter injection is possible.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /goform/set_static_leases
- Commands with shell metacharacters in Hostname parameter
- Unexpected process execution in router logs
Network Indicators:
- HTTP requests containing shell commands in parameters
- Unusual outbound connections from router
- DNS queries to suspicious domains
SIEM Query:
source="router_logs" AND (url="/goform/set_static_leases" AND (Hostname="*;*" OR Hostname="*|*" OR Hostname="*`*"))🔗 References
- https://github.com/lin-3-start/lin-cve/blob/main/DIR-823X/D-Link%20DIR-823X%20routers%20have%20an%20unauthorized%20command%20execution%20vulnerability.md
- https://github.com/lin-3-start/lin-cve/blob/main/DIR-823X/D-Link%20DIR-823X%20routers%20have%20an%20unauthorized%20command%20execution%20vulnerability.md#poc
- https://vuldb.com/?ctiid.323093
- https://vuldb.com/?id.323093
- https://vuldb.com/?submit.645712
- https://www.dlink.com/
