CVE-2025-29635

A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote...

Basic Information

CVE State: PUBLISHED
Reserved Date: March 11, 2025
Published Date: March 25, 2025
Last Updated: April 25, 2026
Vendor: n/a
Product: n/a
Description: A command injection vulnerability in D-Link DIR-823X 240126 and 240802 allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function, triggering remote command execution.
Tags

CVSS Scores

CVSS v3.1

7.2 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2026-06-01 13:23:43 UTC) Source

References

https://github.com/mono7s/Dir-823x/blob/main/set_prohibiting/set_prohibiting.md

Known Exploited Vulnerability Information

Source	Added Date
CVE	2026-06-01 13:23:43 UTC

Timeline

CVE ID Reserved

March 11, 2025
CVE Published to Public

March 25, 2025
Added to KEVIntel

June 01, 2026