CVE Alert: CVE-2025-10123 – D-Link – DIR-823X
CVE-2025-10123
A vulnerability was determined in D-Link DIR-823X up to 250416. Affected by this vulnerability is the function sub_415028 of the file /goform/set_static_leases. Executing manipulation of the argument Hostname can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.
AI Summary Analysis
Risk verdict
High risk with remote command injection possible; with publicly disclosed PoC, exploitation can be attempted without user interaction.
Why this matters
Attacker control over the device can lead to system compromise, data exposure, or use of the router as a foothold for internal network access. For organisations, this threatens connectivity, perimeter integrity, and potential pivot to adjacent hosts.
Most likely attack path
Exploitation requires no user interaction and no privileges (PR:N), over the network (AV:N). An attacker sends a crafted Hostname to /goform/set_static_leases, triggering command execution (C:I/L/A:L). The impact is local to the device but can facilitate further network reconnaissance or abuse of trusted network paths, enabling lateral movement if the router controls internal traffic.
Who is most exposed
Home and small-business routers in typical consumer deployments are at risk, especially where devices are internet-facing or poorly segmented from critical assets.
Detection ideas
- Anomalous HTTP requests to /goform/set_static_leases with suspicious Hostname values.
- Child processes or shell activity initiated by the router after specific requests.
- Unusual outbound connections or DNS lookups originating from the router.
- Log entries showing failed/blocked commands or unexpected command execution symptoms.
- Known PoC indicators or signatures appearing in network traffic or device logs.
Mitigation and prioritisation
- Apply patched firmware (250416 or newer) addressing this command injection; verify vendor guidance and patch level.
- If patching is delayed, disable or restrict remote management and unneeded WAN exposure; implement strong network segmentation.
- Monitor firmware logs, command execution attempts, and unusual hostnames; enable enhanced logging where available.
- Validate device configurations during change windows; document rollback procedures.
- Note: Data on KEV and EPSS is not provided; if KEV is true or EPSS ≥ 0.5, treat as priority 1. If absent, proceed with high-priority remediation.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
