CVE-2025-10634 is a command injection vulnerability identified in the D-Link DIR-823X router models with firmware versions 240126, 240802, and 250416. The vulnerability resides in the Environment Variable Handler component, specifically within the function sub_412E7C of the /usr/sbin/goahead binary. The flaw arises from improper sanitization of input parameters such as terminal_addr, server_ip, and server_port, which are used as arguments in this function. An attacker can remotely manipulate these arguments to inject arbitrary commands that the system executes with elevated privileges. This type of vulnerability allows an attacker to execute arbitrary code on the affected device, potentially leading to full compromise of the router. The vulnerability is remotely exploitable without authentication or user interaction, increasing the risk of exploitation. Although the CVSS v4.0 score is 5.3 (medium severity), the presence of a public exploit increases the threat level. The vulnerability does not require user interaction or authentication, and the attack vector is network-based, making it accessible to attackers scanning for vulnerable devices on the internet or local networks. The lack of available patches at the time of publication further exacerbates the risk. The goahead web server component is commonly used in embedded devices, and command injection vulnerabilities in such components are critical because they can lead to persistent control over network infrastructure devices.

For European organizations, the exploitation of this vulnerability could lead to significant security risks. Compromised routers can serve as entry points into corporate or home networks, enabling attackers to intercept, modify, or redirect network traffic, conduct man-in-the-middle attacks, or pivot to internal systems. This can result in data breaches, loss of confidentiality, and disruption of business operations. Small and medium enterprises (SMEs) and home offices using the affected D-Link DIR-823X models are particularly at risk, as these devices are often less monitored and updated. Additionally, compromised routers can be enlisted into botnets, contributing to larger-scale attacks such as distributed denial-of-service (DDoS) campaigns, which can affect critical infrastructure and services in Europe. The medium CVSS score might underestimate the operational impact since network infrastructure compromise can have cascading effects. Given the remote exploitability without authentication, attackers can target vulnerable devices en masse, increasing the likelihood of widespread impact across European networks.

European organizations and users should immediately inventory their network devices to identify any D-Link DIR-823X routers running the affected firmware versions (240126, 240802, 250416). Since no official patches are currently available, mitigation should focus on reducing exposure: 1) Restrict remote access to router management interfaces by disabling WAN-side administration and limiting access to trusted IP addresses or VPNs. 2) Implement network segmentation to isolate vulnerable devices from critical systems. 3) Monitor network traffic for unusual patterns indicative of exploitation attempts, such as unexpected outbound connections or command execution behaviors. 4) Regularly update router firmware when patches become available from D-Link. 5) Consider replacing vulnerable devices with models confirmed to be secure or supported with timely updates. 6) Employ intrusion detection/prevention systems (IDS/IPS) with signatures for known exploits targeting this vulnerability. 7) Educate users about the risks of using outdated network hardware and the importance of timely updates. These steps go beyond generic advice by focusing on access control, monitoring, and proactive device management tailored to this specific vulnerability.