What happened

CVE-2025-29635 is a command injection vulnerability in D‑Link DIR‑823X firmware builds 240126 and 240802 that lets an authenticated user execute arbitrary commands via a POST to /goform/set_prohibiting, resulting in remote command execution NVD MITRE mono7s PoC.

The issue is confirmed as exploited in the wild and is tracked in CISA’s Known Exploited Vulnerabilities catalog, which prioritizes remediation for active threats CISA KEV entry CISA KEV catalog.

Akamai reports ongoing botnet activity leveraging this CVE against D‑Link devices, aligning with automated Mirai‑style campaigns targeting exposed routers Akamai analysis CISA KEV.

Why it matters

An authenticated attacker on the management plane can turn a consumer router into a remote foothold, enabling command execution and device takeover consistent with the CVSS 7.2 High score (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) NVD MITRE.

Active exploitation means defenders are racing automated campaigns that sweep the internet for viable targets, as seen in Mirai‑class operations abusing this exact CVE Akamai analysis CISA KEV entry.

If management interfaces are exposed or credentials are weak/reused, the PR:H requirement becomes a low barrier for botnets that already hold or brute credentials, accelerating compromise windows NVD Akamai analysis.

Technical detail

The vulnerable code path is reached by sending an HTTP POST request to the router’s web interface endpoint /goform/set_prohibiting, where user‑controlled fields are passed to a system context without proper sanitization, enabling command injection NVD mono7s PoC.

Exploitation requires an authorized session (PR:H), but once authenticated, a single crafted POST can trigger arbitrary command execution on affected firmware versions 240126 and 240802 MITRE NVD.

Public reporting links this CVE to botnet campaigns consistent with Mirai operators, indicating weaponized proof‑of‑concepts and automated exploitation pipelines are in play at scale Akamai analysis CISA KEV entry.

The vulnerability is cataloged with CVSS 3.1 base score 7.2 and vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, reflecting network reachability with high impact if admin or privileged access is achieved NVD MITRE.

Defense

Prioritize assets: identify any D‑Link DIR‑823X running firmware 240126 or 240802 and treat as high risk due to active exploitation status in CISA KEV CISA KEV entry NVD.

Access control: disable remote/WAN management for the router UI and restrict administration to a dedicated management network to raise the bar against PR:H exploitation CISA KEV catalog NVD.

Detection: monitor HTTP logs and reverse proxy telemetry for POST requests to /goform/set_prohibiting from untrusted sources or unusual admins, mapping directly to the vulnerable path mono7s PoC NVD.

Containment: if indicators align, segment or replace the router; assume compromise where exploitation has been observed by threat intel feeds documenting this CVE’s use in botnets Akamai analysis CISA KEV entry.

Patching: track the NVD/MITRE entries for vendor update references; apply fixed firmware immediately if/when published, and retire unsupported hardware from edge exposure NVD MITRE.

Lyrie Verdict

This is machine‑speed exploitation territory: automated botnets are probing and leveraging CVE‑2025‑29635 against exposed DIR‑823X devices, with CISA confirming active abuse and third‑party research attributing campaigns to Mirai‑style operators CISA KEV entry Akamai analysis.

Lyrie treats this as a protocol‑level indicator: we flag authenticated POSTs to /goform/set_prohibiting and correlated admin‑session anomalies for autonomous block/contain before payload execution, aligning to the exact path cited in advisories mono7s PoC NVD.

Bottom line: don’t wait for human review of router logs—let autonomous detectors interdict the request stream that enables the injection, then swap or reimage the device under response playbooks tuned for KEV‑listed exploitation CISA KEV catalog NVD.