Critical Vulnerability in Legacy D-Link DSL Routers Under Active Exploitation
A significant security flaw has been identified in older D-Link DSL gateway routers, currently being actively exploited by cyber attackers. This vulnerability, designated as CVE-2026-0625 with a CVSS score of 9.3, involves a command injection issue in the dnscfg.cgi endpoint. The flaw arises from inadequate sanitization of user-supplied DNS configuration parameters, allowing unauthenticated remote attackers to execute arbitrary shell commands, leading to remote code execution.
Security firm VulnCheck highlighted that this vulnerability is linked to unauthenticated DNS modification behaviors, previously documented by D-Link. Between 2016 and 2019, active exploitation campaigns targeted firmware versions of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models. Notably, exploitation attempts for CVE-2026-0625 were recorded by the Shadowserver Foundation on November 27, 2025.
The affected devices, which have reached end-of-life (EoL) status as of early 2020, include:
– DSL-2640B firmware versions up to 1.07
– DSL-2740R firmware versions below 1.17
– DSL-2780B firmware versions up to 1.01.14
– DSL-526B firmware versions up to 2.01
In response to these findings, D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, regarding active exploitation of the dnscfg.cgi endpoint. The company is working to identify both historical and current uses of the CGI library across all its products. Due to variations in firmware implementations and product generations, accurately determining affected models has proven complex. D-Link plans to release an updated list of specific models later this week after completing a comprehensive firmware-level review.
D-Link stated, Current analysis shows no reliable model number detection method beyond direct firmware inspection. For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation.
At this time, the identities of the threat actors exploiting this flaw and the extent of their activities remain unknown. Given that the vulnerability affects DSL gateway products that have been phased out, it is crucial for device owners to retire these models and upgrade to actively supported devices that receive regular firmware and security updates.
Field Effect, a cybersecurity firm, emphasized the severity of the issue: CVE-2026-0625 exposes the same DNS configuration mechanism leveraged in past large-scale DNS hijacking campaigns. The vulnerability enables unauthenticated remote code execution via the dnscfg.cgi endpoint, giving attackers direct control over DNS settings without credentials or user interaction.
They further explained, Once altered, DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise affecting every device behind the router. Because the impacted D-Link DSL models are end of life and unpatchable, organizations that continue to operate them face elevated operational risk.
