CISA Adds D-Link DIR-823X Vulnerability to KEV Catalog – 4-24-26

 Today CISA announced that it had added command injection vulnerability (CVE-2025-29635) in the D-Link DIR-823X AX3000 Dual-Band Gigabit Wireless Router. The vulnerability was originally reported (with proof-of-concept code) by Wang Jinshuai and Zhao Jiangting at https://github.com/mono7s/, but that report was subsequently removed. D-Link responded in September 2025, noting that the router was end-of-life and no fix was planned. 

Earlier this month Akamai reported that they had seen CVE-2025-29635 being exploited in their honey pots to deploy the Mirai botnet 

CISA has directed federal agencies using the wireless router to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” A deadline of May 8th, 2026 has been established. Since the product is end-of-life and no fix is available, agencies would be required to stop using the D-Link DIR-823X routers. 

Review – 3 Advisories Published – 12-9-25

Today CISA’s NCCIC-ICS published three control system security advisories for products from India-Based CCTV vendors, Festo, and U-BOOT.

Advisories

D-Link Advisory - This advisory describes a missing authentication for critical function vulnerability in the D-Link (India-Limited) DCS-F5614-L1 CCTV (not sold in US).

Festo Advisory - This advisory discusses a cross-site scripting vulnerability (with publicly available exploit) in the Festo LX Appliance.

U-BOOT Advisory - This advisory describes an improper access control for volatile memory containing boot code vulnerability in the U-BOOT bootloader (the advisory lists affected Qualcomm chips).

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-12-9-25 - subscription required.

CISA Adds 2 NAS Vulnerabilities to KEV Catalog

Today, CISA added two new vulnerabilities to their Known Exploited Vulnerabilities Catalog, both for multiple NAS devices from D-Link. The two vulnerabilities are:

• Use of hard-coded credentials - CVE-2024-3272, and

• Command injection - CVE-2024-3273

NOTE: Both of the links above apply to both vulnerabilities.

While not included in the KEV addition notice, the CVE record for -3273 includes the following in the KEV notice for the CVE:

“This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.”

On an odd note (and a brief commentary on the continuing NVD.NIST.gov problems) only the -3273 CVE entry notes that the CVE has been listed in the KEV Catalog. The -3272 entry currently (2113 EDT, 4-11-24) does not mention that the CVE has been so listed.

Public ICS Disclosures – Week of 11-03-18

This week we have a vendor disclosure for products from Rockwell and researcher disclosures for products from D-Link and Advantech.

Rockwell Advisory

Rockwell published an advisory for an IP configuration vulnerability in their  Micrologic 1400 controllers and 1756 ControlLogix EtherNet/IP Communications Modules. The vulnerability was reported to Rockwell by ICS-CERT (and an NCCIC-ICS advisory should be expected this coming week). Rockwell has firmware updates available for currently supported products that mitigate the vulnerability.

NOTE: The advisory indicates that this might be a problem with the ODVA EtherNet/IP standard, so this vulnerability might affect products from other vendors as well.

D-Link Vulnerabilities

John Page (hyp3rlinx) reports three vulnerabilities in the D-Link Central WifiManager CWM-100. The reports indicate that D-Link has been notified of the vulnerabilities but has not communicated successful mitigation measures to Page. The reports include POC exploits.

The three reported vulnerabilities are:

• Trojan file SYSTEM privilege escalation - CVE-2018-15515;

• Server-side request forgery - CVE-2018-15517; and

• FTP server PORT bounce scan - CVE-2018-15516

Advantech Vulnerabilities

Tenable has published an advisory for three vulnerabilities in the Advantech WebAccess/SCADA 8.3.2. product. Chris Lane has published exploit code for two of the vulnerabilities. Tenable reports that Advantech has published a new version that mitigates the vulnerabilities. There is no indication that Tenable has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Directory traversal (2) - CVE-2018-15705, and CVE-2018-15706; and

• Reflected cross-site scripting - CVE-2018-15707