CVE-2025-10401 is a command injection vulnerability identified in the D-Link DIR-823x router series, specifically affecting firmware version 250416 and earlier. The vulnerability resides in an unspecified function within the /goform/diag_ping endpoint, where manipulation of the 'target_addr' parameter allows an attacker to inject arbitrary commands. This flaw enables remote attackers to execute system-level commands on the affected device without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting limited impact on confidentiality, integrity, and availability, and requiring low privileges for exploitation. Although no public exploits are currently known to be in the wild, the exploit code has been publicly disclosed, increasing the risk of exploitation. The vulnerability could allow attackers to compromise the router, potentially gaining control over network traffic, launching further attacks on connected devices, or disrupting network availability. The lack of available patches or official mitigation guidance from the vendor at this time increases the urgency for affected users to implement protective measures.

For European organizations, this vulnerability poses a moderate risk primarily to network infrastructure relying on the D-Link DIR-823x routers. Successful exploitation could lead to unauthorized command execution on routers, enabling attackers to intercept, manipulate, or disrupt network communications. This could compromise sensitive data confidentiality and integrity, especially in environments where these routers serve as gateways or critical network nodes. Additionally, attackers could leverage compromised routers as footholds for lateral movement within corporate networks or as platforms for launching distributed denial-of-service (DDoS) attacks. The medium severity rating suggests that while the impact is not catastrophic, the potential for operational disruption and data exposure exists. Organizations with remote or distributed workforces using these routers in home or branch office settings may face increased exposure due to the remote exploitability and lack of authentication requirements. The absence of known active exploitation reduces immediate risk but does not eliminate the threat, especially given the public availability of exploit code.

Given the absence of official patches, European organizations should implement the following specific mitigations: 1) Immediately identify and inventory all D-Link DIR-823x routers running firmware version 250416 or earlier within their network and remote sites. 2) Where possible, isolate affected routers from the internet or untrusted networks to reduce exposure to remote attacks. 3) Restrict access to the /goform/diag_ping endpoint by implementing firewall rules or access control lists (ACLs) that limit management interface access to trusted IP addresses only. 4) Monitor network traffic and router logs for unusual activity indicative of command injection attempts, such as unexpected commands or abnormal ping diagnostics. 5) Employ network segmentation to limit the impact of a compromised router on critical internal systems. 6) Engage with D-Link support channels to obtain information on forthcoming patches or firmware updates and plan timely deployment once available. 7) Consider replacing vulnerable devices with models that have confirmed security updates if mitigation is not feasible. 8) Educate IT staff and users about the risks and signs of router compromise to enhance detection and response capabilities.