Introduction
Remote attackers can take control of D-Link DIR-823X routers up to firmware 250416 by exploiting a command injection flaw in the device's DHCP static lease configuration. This vulnerability has already been publicly disclosed, with proof-of-concept code available, and is being actively discussed in security communities. D-Link is a major networking equipment vendor with a global footprint, and the DIR-823X series is widely used in home and small office environments. The impact of this vulnerability extends to a large installed base and can result in full device compromise.
Technical Information
CVE-2025-10123 is a command injection vulnerability in the sub_415028 function of the D-Link DIR-823X router firmware (up to version 250416). The flaw is triggered by sending a crafted HTTP POST request to the /goform/set_static_leases endpoint, specifically manipulating the Hostname parameter. The router's web interface fails to properly sanitize this parameter, allowing attackers to inject shell metacharacters and execute arbitrary system commands with root privileges.
The vulnerability is classified under CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-77 (Improper Neutralization of Special Elements used in a Command). Analysis of public research and related vulnerabilities in the DIR-823X firmware shows that user input is directly incorporated into system commands without adequate filtering or escaping. This allows attackers to terminate the intended command and append malicious instructions.
For example, a malicious payload could be sent in the Hostname field as follows:
legitimate_hostname; rm -rf /
This would result in the router executing both the intended command and the attacker's injected command. The vulnerability is remotely exploitable and does not require physical access to the device. The root cause is the lack of input validation and output encoding in the web interface code handling DHCP static lease assignments.
Affected Systems and Versions
- Product: D-Link DIR-823X routers
- Affected firmware versions: Up to and including 250416
- Related firmware versions with similar issues: 240126, 240802 (based on public research)
- Vulnerable endpoint:
/goform/set_static_leases(sub_415028 function) - Vulnerable configuration: Routers with web interface exposed and DHCP static lease configuration enabled
Vendor Security History
D-Link has a history of similar command injection and input validation vulnerabilities across multiple router models and firmware versions. Previous issues include:
- Command injection in
/goform/set_ntp(ntp_zone_val parameter) - Command injection in
/goform/set_lan_settings(dhcpd_startip parameter) - Command injection in
/goform/diag_nslookup(target_addr parameter)
Patch response times have varied, with some vulnerabilities only receiving beta firmware fixes or remaining unpatched for end-of-life products. D-Link's overall security maturity in router firmware development has been questioned in public advisories and research.