What happened

CISA added CVE-2025-29635 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-04-24, signaling active exploitation in the wild CISA KEV catalog. The vulnerability impacts D-Link DIR-823X and enables command injection by an authenticated attacker via a POST to the router’s management endpoint /goform/set_prohibiting NVD entry. CISA’s entry warns the product may be end-of-life/end-of-service and advises discontinuing use if mitigations aren’t available, with a remediation due date of 2026-05-08 CISA KEV catalog.

The flaw is tracked as CWE-77 (command injection), indicating user-supplied data can be invoked as part of an operating system command on the device NVD entry. CISA’s required action directs organizations to apply vendor mitigations, follow applicable BOD 22-01 guidance for cloud services, or retire the device if no fix exists CISA KEV catalog.

Why it matters

When CISA moves a vulnerability into KEV, it’s not theory—it’s being used by adversaries, often at scale and automatically CISA KEV catalog. SOHO router compromises become beachheads for lateral movement, traffic interception, or staging follow-on operations if management interfaces are reachable and credentials are obtained NVD entry. The authenticated nature of CVE-2025-29635 means that once an attacker has valid session access, arbitrary commands can be executed on the device via the affected function MITRE CVE record.

EoL/EoS status compounds risk: unmaintained gear tends to linger at the edge with weak hygiene, and CISA explicitly advises discontinuation if mitigations aren’t available CISA KEV catalog. Leaving an unpatchable router online while it sits in KEV is equivalent to granting persistence at your perimeter NVD entry.

Technical detail

The vulnerable code path is triggered by an HTTP POST to /goform/set_prohibiting on D-Link DIR-823X, where insufficient input validation leads to command injection in an authenticated context NVD entry. The weakness is categorized under CWE-77 (command injection), implying shell metacharacters or concatenated inputs can traverse into OS command execution NVD entry. Because the endpoint sits on the device’s management plane, exploitation requires access to the authenticated management session to invoke the corresponding function MITRE CVE record.

Operationally, the attacker flow is straightforward: authenticate, craft a malicious POST toward /goform/set_prohibiting, and leverage command injection to run arbitrary OS-level commands on the router NVD entry. Once executed, commands can modify device state, establish persistence, pivot traffic, or drop additional tooling, depending on privilege and shell environment on the target firmware MITRE CVE record. CISA’s inclusion in KEV indicates this sequence (or a close variant) is already being used by adversaries in the field CISA KEV catalog.

Indicators defenders can key on include authenticated HTTP requests to /goform/set_prohibiting and anomalous command execution artifacts on the device following a POST event NVD entry. If WAN-side management is exposed, the blast radius expands from local segments to the internet, reducing attacker friction to simple credential acquisition plus a crafted POST MITRE CVE record.

Defense

• Immediate action: align with CISA’s directive—apply vendor mitigations if available, or discontinue product use if not; deadline 2026-05-08 CISA KEV catalog.
• Access control: disable WAN-side management; restrict management to an admin VLAN or out-of-band network to gate any attempt to reach /goform/set_prohibiting NVD entry.
• Monitoring: alert on authenticated POSTs to /goform/set_prohibiting and follow-on process execution on the device if telemetry exists (syslog/command audit) NVD entry.
• Credential hygiene: rotate admin creds and sessions if compromise is suspected; the attack requires authentication, so expiring tokens and enforcing MFA at jump points reduces attacker dwell time MITRE CVE record.
• Triage suspected hits: capture device configs, firmware version, and any post-exploitation artifacts; if the device is EoL/EoS, swap it out rather than attempting long-term hardening CISA KEV catalog.

Lyrie Verdict

Autonomous adversaries don’t wait for change windows. KEV listing means scripted exploitation is already in motion against DIR-823X-class targets CISA KEV catalog. Lyrie flags management-plane anomalies at machine speed—specifically, authenticated HTTP POSTs to the CVE-identified path (/goform/set_prohibiting) coupled with command-execution telemetry on embedded Linux, mapped to CWE-77 patterns NVD entry. We auto-correlate credentialed router logins with immediate config/process changes to cut human reaction time from hours to seconds and recommend automated isolation for suspected DIR-823X nodes pending swap-out per CISA guidance MITRE CVE record.