CISA added CVE-2025-29635, a high-severity command injection flaw in D-Link DIR-823X routers, to the Known Exploited Vulnerabilities catalog on 2026-04-24, with federal remediation due by 2026-05-08.
What Is It
A command injection vulnerability (CWE-77) in D-Link DIR-823X firmware versions 240126 and 240802. An authorized attacker can execute arbitrary commands on the device by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
The flaw carries a CVSS 3.1 score of 7.2 (HIGH) with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, network-reachable, low complexity, no user interaction required, with full impact to confidentiality, integrity, and availability. The high privilege requirement reflects that an attacker must be authorized to the device's management interface to reach the vulnerable endpoint.
Why It Matters
CISA's KEV listing confirms active exploitation in the wild. A referenced Akamai writeup (April 2026) ties CVE-2025-29635 to a Mirai botnet campaign targeting D-Link devices, meaning compromised routers are being conscripted into automated infection chains. Known ransomware campaign use is listed as "Unknown."
Federal civilian agencies under BOD 22-01 had until 2026-05-08 to remediate. Any organization still running affected firmware is operating exposed kit against a confirmed in-the-wild exploit.
What's Vulnerable
- D-Link DIR-823X firmware version 240126
- D-Link DIR-823X firmware version 240802
- Affected hardware: D-Link DIR-823X router
CISA notes the impacted product could be end-of-life (EoL) and/or end-of-service (EoS), and advises users to discontinue product utilization.
Patch Status
D-Link published a security advisory (SAP10469). Per CISA's required action: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Given the EoL/EoS status, replacement is the safer assumption than waiting for a patch.