CISA has added CVE‑2025-29635 to its Known Exploited Vulnerabilities catalogue, affecting D‑Link’s DIR‑823X router. The vulnerability is a command injection flaw that allows an authorised attacker to execute arbitrary commands on the device by sending a crafted POST request to /goform/set_prohibiting.
Technically, the flaw resides in the set_prohibiting function and can be exploited remotely without additional privileges once the attacker has valid credentials. It carries a CVSS v3.1 base score of 7.2 (High), indicating a significant impact on confidentiality, integrity and availability. The advisory notes that a patch status is currently unknown, and the product may be end‑of‑life or end‑of‑service.
Because the entry is in the KEV catalogue, active exploitation has been confirmed in the wild. CISA has not linked this vulnerability to any known ransomware campaign. Federal Civilian Executive Branch (FCEB) agencies must remediate the issue by the due date of 8 May 2026.
CISA’s required action is to “Apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” While this directive binds FCEB agencies, all organisations should review their exposure to the DIR‑823X and consider the same steps.
For full details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-29635 and the CISA KEV catalogue.