CVE-2025-2360 – A critical vulnerability in D-Link DIR-823G rou... (How to Fix)

Q: What is the severity of CVE-2025-2360?

CVE-2025-2360 has a CVSS score of 7.3 (HIGH). A critical vulnerability in D-Link DIR-823G routers allows remote attackers to bypass authorization controls via manipulation of the SOAPAction parameter in the UPnP service. This affects D-Link DIR-823G routers running firmware version 1.0.2B05_20181207. The vulnerability is particularly dangerous as these devices are no longer supported by the manufacturer.

📋 TL;DR

A critical vulnerability in D-Link DIR-823G routers allows remote attackers to bypass authorization controls via manipulation of the SOAPAction parameter in the UPnP service. This affects D-Link DIR-823G routers running firmware version 1.0.2B05_20181207. The vulnerability is particularly dangerous as these devices are no longer supported by the manufacturer.

💻 Affected Systems

Products:

D-Link DIR-823G

Versions: 1.0.2B05_20181207

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with UPnP service enabled (typically enabled by default). Products are end-of-life with no vendor support.

📦 What is this software?

Dir 823g Firmware by Dlink

View all CVEs affecting Dir 823g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker gains administrative access to router, enabling network takeover, traffic interception, malware deployment, and lateral movement into connected networks.

🟠

Likely Case

Remote attacker modifies router configuration, changes DNS settings, redirects traffic, or disables security features.

🟢

If Mitigated

Attack prevented through network segmentation, firewall rules, or device replacement.

🌐 Internet-Facing: HIGH - Vulnerability is remotely exploitable and affects internet-facing routers with UPnP enabled.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they have network access, but external exposure is the primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details have been publicly disclosed. Attack requires sending specially crafted SOAP requests to the UPnP service endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.dlink.com/

Restart Required: No

Instructions:

No official patch available as product is end-of-life. Replace affected devices with supported models.

🔧 Temporary Workarounds

Disable UPnP Service

all

Turn off UPnP functionality in router settings to prevent exploitation via this service.

Access router admin interface > Advanced > UPnP > Disable

Block External UPnP Access

linux

Configure firewall to block external access to UPnP service (port 1900/udp and related ports).

iptables -A INPUT -p udp --dport 1900 -j DROP
iptables -A INPUT -p tcp --dport 1900 -j DROP

🧯 If You Can't Patch

Replace affected D-Link DIR-823G routers with currently supported models from any vendor.
Segment affected routers into isolated network zones with strict firewall rules limiting their communication.

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.0.2B05_20181207 and UPnP is enabled, device is vulnerable.

Check Version:

Check router web interface or use: curl -s http://router-ip/HNAP1/ | grep -i version

Verify Fix Applied:

Verify UPnP is disabled in router settings and test that UPnP service does not respond to external requests.

📡 Detection & Monitoring

Log Indicators:

Unusual SOAP requests to /HNAP1/ endpoint
Multiple failed authentication attempts followed by successful UPnP configuration changes
Router configuration changes from unexpected IP addresses

Network Indicators:

Unusual traffic to router port 1900/udp from external sources
SOAP requests with manipulated SOAPAction headers
UPnP discovery requests from suspicious IPs

SIEM Query:

source="router-logs" AND (uri="/HNAP1/" OR protocol="UPnP") AND (status="200" OR action="SetUpnpSettings")

📊 Metadata

CVE ID: CVE-2025-2360

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.37% exploit probability (58.1th percentile)

Published: March 17, 2025

Last Updated: July 15, 2025

🔗 References

https://lavender-bicycle-a5a.notion.site/D-Link-DIR-823G-SetUpnpSettings-1ac53a41781f80d1a290c8d5da3e795e?pvs=4 Exploit,Third Party Advisory
https://vuldb.com/?ctiid.299827 Permissions Required,VDB Entry
https://vuldb.com/?id.299827 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.513751 Third Party Advisory,VDB Entry
https://www.dlink.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2360, you might also want to check these: