CVE-2025-2717 MEDIUM

CVE-2025-2717: D-Link DIR-823X HTTP POST Request diag_nslookup sub_41710C os command injection

Vendor D-Link

Product DIR-823X

Weakness CWE-78

Published March 24, 2025

Last update March 25, 2025

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A vulnerability, which was classified as critical, has been found in D-Link DIR-823X 240126/240802. This issue affects the function sub_41710C of the file /goform/diag_nslookup of the component HTTP POST Request Handler. The manipulation of the argument target_addr leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Key dates

02Disclosure timeline

March 24, 2025 CVE published

March 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2717 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2025-2717

CWE CWE-78

CVSS 5.1 / MEDIUM

Affected versions

Vendor D-Link

Product DIR-823X

Affected 240126

Vendor D-Link

Product DIR-823X

Affected 240802

CVE-2025-2717: D-Link DIR-823X HTTP POST Request diag_nslookup sub_41710C os command injection

01Description

02Disclosure timeline

03References

04Related CVE