Login Sign Up

CVE-2025-2359

7.3 HIGH
Authentication Bypass

📋 TL;DR

This critical vulnerability in D-Link DIR-823G routers allows attackers to bypass authorization controls and manipulate DDNS settings remotely via the SetDDNSSettings function. It affects users of D-Link DIR-823G routers running firmware version 1.0.2B05_20181207. The vulnerability is particularly concerning because these products are no longer supported by the vendor.

💻 Affected Systems

Products:
  • D-Link DIR-823G
Versions: 1.0.2B05_20181207
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with DDNS service enabled. Products are end-of-life with no vendor support.

📦 What is this software?

Dir 823g Firmware by Dlink

View all CVEs affecting Dir 823g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could take full control of the router, redirect DNS traffic to malicious servers, intercept sensitive data, or use the device as part of a botnet.

🟠

Likely Case

Attackers will modify DDNS settings to redirect legitimate traffic to malicious sites for phishing, credential theft, or malware distribution.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the affected router only, preventing lateral movement.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit details are publicly available. Attack requires network access to the router's HNAP1 interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available. Device is end-of-life. Replace with supported hardware.

🔧 Temporary Workarounds

Disable DDNS Service

all

Turn off Dynamic DNS functionality in router settings

Block HNAP1 Interface

linux

Use firewall rules to block access to /HNAP1/ endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "POST /HNAP1/" --algo bm -j DROP

🧯 If You Can't Patch

  • Immediately replace affected routers with supported models
  • Isolate affected devices in separate VLAN with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in web interface. If version is 1.0.2B05_20181207, device is vulnerable.

Check Version:

curl -s http://router-ip/ | grep -i firmware

Verify Fix Applied:

Test if DDNS settings can be modified without authentication via SOAP requests to /HNAP1/

📡 Detection & Monitoring

Log Indicators:

  • Unusual SOAP requests to /HNAP1/SetDDNSSettings
  • Unauthorized DDNS configuration changes

Network Indicators:

  • SOAP requests with manipulated SOAPAction headers to router port 80
  • Unexpected DNS traffic redirection

SIEM Query:

source="router-logs" AND (uri="/HNAP1/SetDDNSSettings" OR soapaction="SetDDNSSettings")

📊 Metadata

CVE ID: CVE-2025-2359
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.53% exploit probability (66.6th percentile)
Published: March 17, 2025
Last Updated: July 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2359, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)