CVE-2025-2360
Published: 17 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2360 is a critical improper authorization vulnerability (CWE-266, CWE-285) in the D-Link DIR-823G router running firmware version 1.0.2B05_20181207. The issue resides in the SetUpnpSettings function exposed via the /HNAP1/ endpoint of the UPnP Service, where manipulation of the SOAPAction argument bypasses authorization checks. This flaw carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and exclusively impacts products that are no longer supported by the vendor.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants improper authorization, potentially allowing limited disruption to confidentiality, integrity, and availability, such as unauthorized modifications to UPnP settings or service alterations.
Advisories from VulDB and related disclosures, including a public exploit proof-of-concept on a Notion site, confirm no patches are available, as the affected D-Link DIR-823G models are end-of-support. Security practitioners should isolate or decommission these devices, apply network segmentation to block /HNAP1/ access, and monitor for anomalous UPnP traffic.
The exploit has been publicly disclosed and may be actively used against exposed instances, underscoring risks for legacy Internet-facing routers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an auth bypass in the public-facing /HNAP1/ UPnP endpoint on an internet-facing router, directly enabling remote exploitation of a public-facing application without credentials.