A newly discovered critical security flaw in legacy D-Link DSL gateway routers is being exploited in the wild.
The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), involves a case of command injection into the ‘dnscfg.cgi’ endpoint due to improper sanitization of user-specified DNS configuration parameters.
“An unauthenticated, remote attacker may be able to inject and execute arbitrary shell commands, potentially resulting in remote code execution,” VulnCheck said in its advisory.
“Affected endpoints are also associated with an unauthorized DNS change (“DNSChanger”) behavior documented by D-Link, which reported an active exploitation campaign targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 to 2019. ”
The cybersecurity company also noted that an exploitation attempt targeting CVE-2026-0625 was recorded by the Shadow Server Foundation on November 27, 2025. Some of the affected devices have reached End of Life (EoL) status as of early 2020.
DSL-2640B <= 1.07 DSL-2740R < 1.17 DSL-2780B <= 1.01.14 DSL-526B <= 2.01
In its own alert, D-Link revealed that it initiated an internal investigation following VulnCheck’s December 16, 2025 report of active abuse of “dnscfg.cgi” and is working to determine past and current usage of the CGI library across all of its products.
He also noted that determining exactly which models are affected is complicated by different firmware implementations and product generations. An updated list of specific models will be published later this week once firmware level reviews are complete.
“Current analysis indicates that there is no reliable method of model number detection other than directly inspecting the firmware,” D-Link said. “For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of our investigation.”
At this stage, the identity of the attackers exploiting this flaw and their scale are unknown. Because this vulnerability affects DSL gateway products that are being phased out, it is important that device owners retire those products and upgrade to actively supported devices that receive regular firmware and security updates.
“CVE-2026-0625 exposes the same DNS configuration mechanisms utilized in past large-scale DNS hijacking campaigns,” Field Effect said. “This vulnerability allows unauthenticated remote code execution via the dnscfg.cgi endpoint, allowing an attacker to directly control DNS settings without credentials or user interaction.”
“Any changes to DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise that affects all devices behind the router. The affected D-Link DSL models are end of life and cannot be patched, so organizations that continue to operate them face increased operational risk.”
Source link
