Overview
CVE-2025-29635 is a command injection vulnerability affecting D-Link DIR-823X routers. An authorized attacker can exploit this flaw by sending a specially crafted POST request to the /goform/set_prohibiting endpoint, causing the router to execute arbitrary operating system commands with elevated privileges.
CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on April 24, 2026, confirming active exploitation in the wild.
Technical Details
| Field | Value |
|---|---|
| CVE ID | CVE-2025-29635 |
| CVSS Score | High |
| Affected Product | D-Link DIR-823X |
| Attack Vector | Network |
| Authentication Required | Yes (authorized attacker) |
| Exploit Maturity | Actively exploited |
Vulnerable Endpoint
The vulnerability resides in the router's web management interface. A POST request to /goform/set_prohibiting with a maliciously crafted parameter invokes a function that fails to properly sanitize user-supplied input before passing it to the underlying shell. This allows shell metacharacters to escape the intended context and execute arbitrary commands.
POST /goform/set_prohibiting HTTP/1.1
Host: <router-ip>
Content-Type: application/x-www-form-urlencoded
[malicious parameter with injected shell command]
End-of-Life Status
The D-Link DIR-823X is considered end-of-life (EoL) / end-of-service (EoS). D-Link has officially stated it will not release a security patch for this vulnerability, following its policy of not providing fixes for products beyond their support lifecycle.
This makes remediation straightforward but urgent: the device must be replaced or removed from internet-facing exposure.
Impact
Successful exploitation allows an attacker to:
- Execute arbitrary OS commands on the router as a privileged user
- Pivot into internal network segments reachable from the router
- Modify DNS settings for traffic interception or redirect
- Install persistent backdoors or botnet implants
- Exfiltrate network credentials stored in the device
Routers with this vulnerability exposed to the internet are prime targets for botnet operators seeking to add devices to DDoS infrastructure or establish persistent footholds in home and small business networks.
CISA KEV Directive
Federal civilian agencies subject to BOD 22-01 are required to remediate KEV catalog entries within the specified timeframe. For EoL products with no available patch, the standard guidance is:
- Remove the device from service
- Replace with a supported model receiving active security updates
- Where replacement is delayed, isolate the device behind a firewall with no direct internet exposure
Recommendations
Immediate actions:
- Replace the D-Link DIR-823X with a currently supported router model
- Disable remote management / web admin interface if immediate replacement is not possible
- Segment the device from sensitive network resources
- Monitor for unusual outbound traffic or DNS changes that may indicate compromise
- Audit similar end-of-life networking equipment across your environment
For organizations managing device fleets, treat any EoL router with a KEV-listed CVE as a critical remediation priority regardless of perceived network exposure. Attackers routinely scan for these devices and exploit them within hours of KEV publication.