CISA has added CVE-2025-29635 to its Known Exploited Vulnerabilities catalogue, reflecting an active Mirai botnet exploitation campaign that Akamai researchers have been tracking since mid-April 2026. The vulnerability affects D-Link DIR-823X wireless routers — a product line that reached end of life in early 2025, meaning no security patch will ever be issued.
The Vulnerability
CVE-2025-29635 is an OS command injection flaw in the D-Link DIR-823X firmware’s web management interface. Specifically, it exists in the /goform/set_prohibiting endpoint, which handles parental control and content filtering configuration. The SiteList parameter fails to sanitise user input before passing it to a system command execution function. An authenticated attacker can inject arbitrary shell commands that execute with root privileges in the context of the embedded Linux system running the router firmware.
While the CVSS 7.2 score reflects that authentication is required, D-Link DIR-823X routers commonly run with factory default credentials (admin/admin or model-specific defaults printed on the router label) that many home and small business users never change. Akamai’s research confirms that the active Mirai campaign exploits the credential gap by first attempting default credential pairs before injecting commands.
EOL Device — No Patch Coming
D-Link has confirmed that DIR-823X reached end of life in January 2025. No security patches will be issued for this CVE or any future vulnerability discovered in this product line. CISA’s KEV addition acknowledges this in the advisory notes, stating the required action as “The impacted product is end-of-life and should be disconnected if still in use.”
For residential or small business routers, the EOL status means replacement is the only remediation option. There is no firmware fix to deploy.
Enterprise and Operational Context
D-Link DIR-823X devices appear in several enterprise-adjacent deployment contexts:
Remote worker VPN endpoints: IT departments that issued home networking equipment to remote workers during 2020–2022 may have DIR-823X units active on employee home networks that also carry corporate VPN traffic. A Mirai-compromised home router can intercept VPN credentials, perform DNS-based man-in-the-middle attacks against split-tunnel VPN configurations, or provide an attacker with network access to the home network hosting the corporate-connected device.
Branch office and satellite location networking: DIR-823X units were adopted as low-cost branch office routers in some SMB and retail deployments. A botnet-compromised router in a branch location provides network access to that segment, including any point-of-sale systems, local servers, or cloud application traffic.
IoT gateway adjacency: The router’s embedded Linux environment, once compromised, can be used as a pivot point to scan and attack IoT devices on the local network — IP cameras, building management systems, and industrial sensors that share the same LAN.
Recommended Actions
- Replace all DIR-823X units immediately — no patch is available; this is the only effective remediation. Suitable replacements include current-generation routers from Netgear, TP-Link (recent models), or enterprise-grade alternatives for branch deployments.
- Audit remote worker router inventory — if your organisation issued networking equipment to home workers, identify any DIR-823X units and initiate hardware replacement through your IT equipment programme.
- Confirm corporate VPN traffic is not traversing known-EOL home networking equipment — review your remote access policy to determine whether employees are permitted to use their own networking equipment for corporate VPN connections, and update policy if DIR-823X or other EOL router use is not prohibited.
- Review branch office networking assets — include router firmware version and EOL status in your annual network asset review; EOL networking equipment represents a persistent and growing risk category.
Share this article