Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2025-29635 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2025-29635 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2025-29635 is a command injection vulnerability in the D-Link DIR-823X router, exploitable by an authenticated attacker through the device's web management interface.

Technical Detail

The flaw exists in the /goform/set_prohibiting endpoint, where user-supplied input is passed to an underlying system function without adequate sanitization. An attacker with valid credentials can craft a malicious POST request to this endpoint to inject and execute arbitrary operating system commands on the device, resulting in remote code execution (RCE) with the privileges of the web server process. Because the DIR-823X is consumer-grade networking hardware, successful exploitation gives an attacker full control over network traffic routing, DNS resolution, and any connected devices on the local network segment.

Exploitation Status

CISA has confirmed active exploitation in the wild, having added this CVE to the Known Exploited Vulnerabilities catalog on April 24, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable, real-world use exists and is being actively leveraged against targets, not merely demonstrated in a controlled research context.

Who Is Targeting This

No specific threat actor attribution has been confirmed at this time. No campaigns or targeted sectors have been formally identified in available intelligence. Given the nature of the vulnerability and the device class, opportunistic scanning and botnet recruitment activity is a plausible use case, though this remains unconfirmed.

What To Do

D-Link DIR-823X is confirmed to be at or approaching end-of-life and end-of-service status, meaning no vendor patch is expected. CISA's binding directive requires federal agencies to apply mitigations or discontinue use of the affected product by the applicable KEV remediation deadline. For all organizations, the recommended action is immediate device replacement with a supported product. If replacement cannot be completed immediately, isolate the device from untrusted networks, restrict management interface access to trusted IP addresses only, and disable remote management features. Monitor for anomalous outbound connections or unexpected DNS changes as potential indicators of compromise. Do not rely on credential rotation alone as a mitigation, as the vulnerability requires only authorized access, not administrative privileges.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →