Cybersecurity researchers have reported ongoing attacks exploiting a critical vulnerability in legacy D-Link DSL gateway routers. The flaw, tracked as CVE-2026-0625, has a CVSS score of 9.3 and enables unauthenticated remote attackers to execute arbitrary code on affected devices.
Command Injection in DNS Configuration Endpoint
The vulnerability stems from improper sanitization of user-supplied DNS parameters in the dnscfg.cgi endpoint. Exploitation allows attackers to inject shell commands, leading to full remote code execution (RCE) without requiring any credentials.
VulnCheck noted that the affected endpoint is associated with unauthenticated DNS modification behavior, previously documented by D-Link. The flaw impacts several firmware variants of legacy D-Link models, including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, produced between 2016 and 2019.
Evidence of Active Exploitation
Attempts to exploit CVE-2026-0625 were observed by the Shadowserver Foundation on November 27, 2025. Many of the affected devices have reached end-of-life (EoL), leaving them without firmware updates:
- DSL-2640B ≤ 1.07
- DSL-2740R < 1.17
- DSL-2780B ≤ 1.01.14
- DSL-526B ≤ 2.01
D-Link confirmed on December 16, 2025, that it had launched an internal investigation following the report from VulnCheck. The company is assessing the use of the CGI library across its product lineup and reviewing firmware builds to determine which models are impacted. D-Link noted that accurate detection requires direct firmware inspection, complicating efforts to identify affected units.
Risks and Recommendations
While the attackers’ identities and the full scale of exploitation are unknown, experts warn that this vulnerability poses significant risk. Field Effect highlighted that CVE-2026-0625 targets the same DNS configuration mechanism exploited in previous DNS hijacking campaigns.
Once DNS settings are modified, traffic can be silently redirected, intercepted, or blocked, affecting all devices behind the router. Since the impacted D-Link DSL models are unpatchable and no longer supported, organizations continuing to operate them face heightened operational and security risks.
Security professionals recommend that users retire legacy DSL routers immediately and upgrade to actively supported models receiving regular firmware and security updates.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
