CVE-2025-29635

CVE-2025-29635 is a command injection vulnerability (CWE-77) affecting D-Link DIR-823X routers running firmware versions 240126 and 240802. It enables an authorized attacker to execute arbitrary commands on the targeted device by sending a specially crafted POST request to the /goform/set_prohibiting endpoint through the associated function, resulting in remote command execution. The vulnerability carries a CVSS v3.1 base score of 7.2 (High), reflecting network accessibility, low attack complexity, high required privileges, no user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.

An attacker with high privileges, such as administrative access to the device, can exploit this vulnerability over the network with low complexity and no need for user interaction. Successful exploitation grants remote command execution on the router, potentially allowing full compromise of the device, including data exfiltration, modification of configurations, or disruption of services.

Advisories reference a GitHub repository detailing the vulnerability at https://github.com/mono7s/Dir-823x/blob/main/set_prohibiting/set_prohibiting.md, an Akamai security research blog at https://www.akamai.com/blog/security-research/2026/apr/cve-2025-29635-mirai-campaign-targets-d-link-devices, and CISA's Known Exploited Vulnerabilities catalog entry at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-29635, which collectively highlight exploitation details and urge mitigation through patching or configuration hardening where available.

In notable context, the vulnerability has seen real-world exploitation, including targeting by a Mirai botnet campaign as documented by Akamai, and its inclusion in CISA's Known Exploited Vulnerabilities catalog indicates active exploitation in the wild.