CVE-2025-10123 is a command injection vulnerability identified in the D-Link DIR-823X router, specifically affecting firmware version 250416 and earlier. The vulnerability resides in the function sub_415028 within the /goform/set_static_leases endpoint. This function processes the Hostname argument, which can be manipulated by an attacker to inject arbitrary commands. Because the vulnerability can be exploited remotely without any authentication or user interaction, it poses a significant risk. The attacker can craft malicious requests to the vulnerable endpoint, leading to execution of arbitrary commands on the device with the privileges of the web server process. This could allow attackers to compromise the router, potentially gaining control over network traffic, modifying configurations, or pivoting to other devices on the network. The CVSS 4.0 score is 6.9 (medium severity), reflecting the ease of remote exploitation without authentication, but with limited impact on confidentiality, integrity, and availability (all rated low). The vulnerability has been publicly disclosed, but no known exploits in the wild have been reported yet. However, public disclosure increases the risk of exploitation attempts. The lack of available patches at the time of reporting further elevates the urgency for mitigation. Given the router’s role as a network gateway device, exploitation could have serious consequences for network security and privacy.

For European organizations, this vulnerability could lead to unauthorized control over network infrastructure if the vulnerable D-Link DIR-823X routers are deployed. Compromise of these routers could allow attackers to intercept, modify, or redirect network traffic, potentially exposing sensitive data or enabling further attacks within corporate or home networks. Small and medium enterprises (SMEs) and home users relying on this router model are particularly at risk, as they may lack robust network monitoring or segmentation. The impact on confidentiality is moderate due to possible data interception, while integrity and availability impacts are low to moderate depending on attacker goals. The vulnerability’s remote, unauthenticated nature increases the risk of widespread exploitation, especially in environments where firmware updates are not regularly applied. For organizations subject to GDPR and other data protection regulations, exploitation could lead to data breaches and regulatory penalties. Additionally, compromised routers could be leveraged as part of botnets or for launching attacks on other targets, amplifying the threat landscape in Europe.

1. Immediate mitigation should focus on isolating vulnerable D-Link DIR-823X devices from critical network segments to limit potential damage. 2. Network administrators should monitor network traffic for unusual activity originating from or targeting these routers, including unexpected outbound connections or command injection patterns. 3. Since no official patches are currently available, organizations should contact D-Link support for any interim firmware updates or advisories. 4. Consider replacing vulnerable devices with models confirmed to be free from this vulnerability or from vendors with timely patching practices. 5. Implement network-level protections such as firewall rules to restrict access to the router’s management interface, especially from untrusted networks. 6. Employ intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect exploitation attempts targeting the /goform/set_static_leases endpoint. 7. Educate users and administrators about the risks and signs of router compromise to enable rapid response. 8. Regularly audit and update router firmware as soon as patches become available to remediate the vulnerability definitively.