Description
A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
Published: 2025-03-25
Score: 7.2 High
EPSS: 53.8% High
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw that permits an attacker with authorized access to send a POST request to /goform/set_prohibiting on the device. This action injects arbitrary shell commands, granting the attacker full control over system processes and data. The weakness aligns with CWE‑77, indicating that unsanitized command execution is possible. The impact is a loss of confidentiality, integrity, and availability for the affected device.

Affected Systems

D‑Link DIR‑823X routers running firmware 240126 and 240802 are affected. The flaw is present in the firmware packages listed by CPE identifiers for the 240126 and 240802 revisions.

Risk and Exploitability

The CVSS score reflects a high severity of 7.2, and the EPSS score of 54% indicates a high probability that exploitation could occur in the wild. The vulnerability is listed in the CISA KEV catalog, confirming that it has been actively exploited. Based on the description, the likely attack vector is a remote attacker who can authenticate or has inherited credentials to the router, then issues the vulnerable POST request—therefore the exploitation requires remote network access and privileged or default credentials.

Generated by OpenCVE AI on May 18, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the D‑Link DIR‑823X to the latest firmware release that addresses the command injection issue. This is the preferred and definitive fix.
  • If upgrading is not immediately possible, disable remote management or block traffic to the /goform endpoint using a firewall or router ACL to prevent remote POST requests. This limits the attack surface until a firmware update can be applied.
  • Configure the router to use strong, unique credentials and enable network segmentation to restrict local access, reducing the chance an attacker gains the necessary authorized access to exploit the flaw.

Generated by OpenCVE AI on May 18, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14821 A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
History

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Command Injection in D-Link DIR-823X Firmware Enabling Remote Command Execution

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Remote Command Execution via Command Injection in D-Link DIR-823X Firmware

Sat, 09 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Remote Command Execution via Command Injection in D-Link DIR-823X Firmware

Tue, 05 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in D-Link DIR-823X Allows Remote Execution

Mon, 04 May 2026 15:15:00 +0000

Type Values Removed Values Added
Title Command Injection Vulnerability in D-Link DIR-823X Allows Remote Execution

Sun, 03 May 2026 15:15:00 +0000

Type Values Removed Values Added
Title Remote Command Execution via POST /goform/set_prohibiting in D‑Link DIR‑823X

Fri, 01 May 2026 14:00:00 +0000

Type Values Removed Values Added
Title Remote Command Execution via POST /goform/set_prohibiting in D‑Link DIR‑823X

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-04-24T00:00:00+00:00', 'dueDate': '2026-05-08T00:00:00+00:00'}

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Thu, 03 Apr 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dir-823x
Dlink dir-823x Firmware
CPEs cpe:2.3:h:dlink:dir-823x:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-823x_firmware:240126:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dir-823x_firmware:240802:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dir-823x
Dlink dir-823x Firmware

Tue, 25 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 25 Mar 2025 13:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
References

Subscriptions

Dlink Dir-823x Dir-823x Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-25T03:55:37.481Z

Reserved: 2025-03-11T00:00:00.000Z

Link: CVE-2025-29635

cve-icon Vulnrichment

Updated: 2025-03-25T14:49:53.234Z

cve-icon NVD

Status : Analyzed

Published: 2025-03-25T14:15:29.043

Modified: 2026-04-24T19:27:15.560

Link: CVE-2025-29635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T15:15:28Z

Weaknesses