A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-2359

CVE-2025-2359: D-Link DIR-823G Auth Bypass Vulnerability

CVE-2025-2359 is an authentication bypass vulnerability in D-Link DIR-823G firmware affecting the DDNS Service component. Attackers can exploit this remotely to gain unauthorized access. This article covers technical details, affected versions, impact assessment, and available mitigation strategies.

Published: March 25, 2026

CVE-2025-2359 Overview

A critical improper authorization vulnerability has been discovered in the D-Link DIR-823G router firmware version 1.0.2B05_20181207. The vulnerability exists within the SetDDNSSettings function of the /HNAP1/ component, which handles DDNS (Dynamic DNS) Service configuration. By manipulating the SOAPAction argument, an attacker can bypass authorization controls and gain unauthorized access to sensitive router functionality. This vulnerability is particularly concerning as it can be exploited remotely without authentication, and the affected product has reached end-of-life status with no vendor support available.

Critical Impact

Remote attackers can exploit this improper authorization flaw to bypass security controls in the DDNS Service, potentially allowing unauthorized configuration changes to the router. The exploit has been publicly disclosed, increasing the risk of active exploitation against unpatched devices.

Affected Products

  • D-Link DIR-823G Firmware version 1.0.2B05_20181207
  • D-Link DIR-823G Hardware (all units running vulnerable firmware)

Discovery Timeline

  • 2025-03-17 - CVE-2025-2359 published to NVD
  • 2025-07-15 - Last updated in NVD database

Technical Details for CVE-2025-2359

Vulnerability Analysis

This vulnerability is classified as CWE-266 (Incorrect Privilege Assignment), which falls under the broader category of improper authorization vulnerabilities. The flaw resides in the Home Network Administration Protocol (HNAP) implementation within the D-Link DIR-823G router.

The SetDDNSSettings function, responsible for configuring Dynamic DNS settings, fails to properly validate authorization before processing requests. The HNAP protocol uses SOAPAction headers to specify the requested operation, and the vulnerable implementation does not adequately verify that the requesting entity has the necessary privileges to modify DDNS configuration.

This authorization bypass allows remote attackers to manipulate router settings without proper authentication, potentially enabling them to redirect DNS queries, establish persistent access, or facilitate further attacks against the network infrastructure.

Root Cause

The root cause stems from improper authorization checks within the HNAP service implementation. When processing SOAP requests to the /HNAP1/ endpoint, the SetDDNSSettings function fails to verify that the caller possesses appropriate privileges before executing the requested operation. This incorrect privilege assignment allows unauthenticated remote attackers to invoke privileged functionality by crafting malicious SOAPAction requests.

The vulnerability is exacerbated by the fact that HNAP exposes these functions over the network interface, making them accessible to any attacker with network access to the router's management interface.

Attack Vector

The attack is network-based and can be executed remotely without user interaction or prior authentication. An attacker would send specially crafted SOAP requests to the /HNAP1/ endpoint with manipulated SOAPAction headers targeting the SetDDNSSettings function.

The attack involves:

  1. Identifying a vulnerable D-Link DIR-823G device on the network
  2. Sending crafted HTTP requests to the /HNAP1/ endpoint
  3. Manipulating the SOAPAction header to bypass authorization checks
  4. Modifying DDNS settings without proper credentials

Technical details and proof-of-concept information can be found in the Notion DDNS Settings Guide and VulDB entry #299826.

Detection Methods for CVE-2025-2359

Indicators of Compromise

  • Unexpected HTTP requests to the /HNAP1/ endpoint from external IP addresses
  • DDNS configuration changes that were not initiated by authorized administrators
  • Suspicious SOAPAction headers containing SetDDNSSettings in network traffic logs
  • Unusual outbound DNS traffic patterns indicating possible DDNS redirection

Detection Strategies

  • Monitor network traffic for HTTP requests targeting /HNAP1/ endpoints on D-Link router devices
  • Implement intrusion detection rules to flag SOAP requests with SetDDNSSettings actions from untrusted sources
  • Audit router configuration logs for unauthorized DDNS setting modifications
  • Deploy network segmentation to isolate router management interfaces from untrusted networks

Monitoring Recommendations

  • Enable logging on all D-Link router management interfaces and forward logs to a centralized SIEM
  • Configure alerts for any configuration changes to DDNS settings on affected devices
  • Implement network monitoring to detect reconnaissance activities targeting HNAP services
  • Regularly audit router configurations to detect unauthorized modifications

How to Mitigate CVE-2025-2359

Immediate Actions Required

  • Restrict network access to the router's management interface using firewall rules or access control lists
  • Disable remote management features if not required for operations
  • Isolate affected D-Link DIR-823G devices from untrusted network segments
  • Consider replacing end-of-life devices with currently supported router models

Patch Information

This vulnerability affects the D-Link DIR-823G router which has reached end-of-life (EOL) status. D-Link no longer provides security updates or patches for this product. Organizations using affected devices should prioritize device replacement with actively supported alternatives.

For more information, visit the D-Link Official Website for current product offerings and security advisories.

Workarounds

  • Disable the HNAP service if feasible and not required for router functionality
  • Implement strict firewall rules to block external access to port 80/443 on the router's management interface
  • Place the router behind an additional firewall or security appliance that can filter malicious SOAP requests
  • Monitor and audit all changes to router configurations using network monitoring tools
bash
# Example: Block external access to router management interface using iptables
# Apply these rules on an upstream firewall or gateway device

# Block HTTP access to router management from WAN
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 -i eth0 -j DROP

# Block HTTPS access to router management from WAN
iptables -A FORWARD -d <router_ip> -p tcp --dport 443 -i eth0 -j DROP

# Allow management access only from trusted admin subnet
iptables -A FORWARD -d <router_ip> -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechDlink
  • SeverityMEDIUM
  • CVSS Score6.9
  • EPSS Probability0.53%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-266
  • Technical References
  • Notion DDNS Settings Guide
  • VulDB CTI #299826
  • VulDB #299826
  • VulDB Submission #513750
  • D-Link Official Website
  • Related CVEs
  • CVE-2026-4377: D-Link DWR-X1820 Auth Bypass Vulnerability
  • CVE-2026-7554: D-Link M60 Auth Bypass Vulnerability
  • CVE-2026-42372: D-Link DIR-605L Auth Bypass Vulnerability
  • CVE-2026-42373: D-Link DIR-605L Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English