CVE-2025-29635 – A command injection vulnerability in D-Link DIR... (How to Fix)

Q: What is the severity of CVE-2025-29635?

CVE-2025-29635 has a CVSS score of 8.8 (HIGH). A command injection vulnerability in D-Link DIR-823X routers allows authenticated attackers to execute arbitrary commands on affected devices by sending specially crafted POST requests to the /goform/set_prohibiting endpoint. This affects users of DIR-823X routers with firmware versions 240126 and 240802, potentially giving attackers full control over the device.

📋 TL;DR

A command injection vulnerability in D-Link DIR-823X routers allows authenticated attackers to execute arbitrary commands on affected devices by sending specially crafted POST requests to the /goform/set_prohibiting endpoint. This affects users of DIR-823X routers with firmware versions 240126 and 240802, potentially giving attackers full control over the device.

💻 Affected Systems

Products:

D-Link DIR-823X

Versions: 240126 and 240802 firmware versions

Operating Systems: Embedded Linux-based router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication to exploit, but default credentials or weak passwords increase risk significantly.

📦 What is this software?

Dir 823x Firmware by Dlink

View all CVEs affecting Dir 823x Firmware →

Dir 823x Firmware by Dlink

View all CVEs affecting Dir 823x Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, or use the device as part of a botnet.

🟠

Likely Case

Attackers gain shell access to modify router settings, steal credentials, or deploy cryptocurrency miners on vulnerable devices.

🟢

If Mitigated

Limited impact if network segmentation isolates the router and strong authentication controls prevent unauthorized access.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices that can be directly targeted by remote attackers.

🏢 Internal Only: MEDIUM - Internal attackers with network access could exploit this if they obtain valid credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires authentication but is well-documented in public GitHub repository with proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check D-Link security advisories for latest patched firmware

Vendor Advisory: Monitor D-Link security advisories page for official response

Restart Required: Yes

Instructions:

1. Log into router admin interface. 2. Navigate to firmware update section. 3. Download latest firmware from D-Link support site. 4. Upload and apply firmware update. 5. Reboot router after update completes.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router administration interface

Change default credentials

all

Use strong, unique passwords for router administration

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Implement network monitoring for suspicious POST requests to /goform/set_prohibiting

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 240126 or 240802, device is vulnerable.

Check Version:

Check router web interface at System > Firmware or via SSH if enabled: cat /etc/version

Verify Fix Applied:

After updating firmware, verify version number has changed from vulnerable versions and test that POST requests to /goform/set_prohibiting with command injection payloads no longer execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /goform/set_prohibiting
Commands containing shell metacharacters in request parameters
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP POST requests to router IP on port 80/443 with /goform/set_prohibiting path
Unusual outbound connections from router to external IPs

SIEM Query:

source="router_logs" AND (uri_path="/goform/set_prohibiting" OR command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*")

📊 Metadata

CVE ID: CVE-2025-29635

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 1.64% exploit probability (81.6th percentile)

Published: March 25, 2025

Last Updated: April 3, 2025

🔗 References

https://github.com/mono7s/Dir-823x/blob/main/set_prohibiting/set_prohibiting.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29635, you might also want to check these: