CVE-2025-10123CRITICAL 9.8EPSS p89.2%

CVE-2025-10123CVE-2025-10123

Description

A vulnerability was determined in D-Link DIR-823X up to 250416. Affected by this vulnerability is the function sub_415028 of the file /goform/set_static_leases. Executing manipulation of the argument Hostname can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS3.99% probability of exploitation · percentile 89.2% · 2026-06-18T12:00:27Z
Published2025-09-09
Last modified2026-04-29

Underlying weaknesses· 2

CWE-74CWE-77

References

  1. https://github.com/lin-3-start/lin-cve/blob/main/DIR-823X/D-Link%20DIR-823X%20routers%20have%20an%20unauthorized%20command%20execution%20vulnerability.md
  2. https://github.com/lin-3-start/lin-cve/blob/main/DIR-823X/D-Link%20DIR-823X%20routers%20have%20an%20unauthorized%20command%20execution%20vulnerability.md#poc
  3. https://vuldb.com/?ctiid.323093
  4. https://vuldb.com/?id.323093
  5. https://vuldb.com/?submit.645712
  6. https://www.dlink.com/

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')cwe-740%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-11097
CVE
CVE-2025-11092
CVE
CVE-2025-10401
CVE
CVE-2025-11095
CVE
CVE-2025-11096
CVE
CVE-2026-1544
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.