Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the 'dnscfg.cgi' endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters.
An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution, according to VulnCheck. This vulnerability is associated with unauthenticated DNS modification ('DNSChanger') behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019.
The cybersecurity company also noted that exploitation attempts targeting CVE-2026-0625 were recorded by the Shadowserver Foundation on November 27, 2025. Some of the impacted devices have reached end-of-life (EoL) status as of early 2020, including:
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
- DSL-526B <= 2.01
D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, about active exploitation of 'dnscfg.cgi'. The company is working to identify historical and current use of the CGI library across all its product offerings. However, complexities in accurately determining affected models due to variations in firmware implementations and product generations have been noted.
An updated list of specific models is expected to be published later this week once a firmware-level review is complete. Current analysis shows no reliable model number detection method beyond direct firmware inspection, so D-Link is validating firmware builds across legacy and supported platforms as part of the investigation.
The identity of the threat actors exploiting the flaw and the scale of such efforts are not known. Given that the vulnerability impacts DSL gateway products that have been phased out, it's important for device owners to retire them and upgrade to actively supported devices that receive regular firmware and security updates.
CVE-2026-0625 exposes the same DNS configuration mechanism leveraged in past large-scale DNS hijacking campaigns, Field Effect said. The vulnerability enables unauthenticated remote code execution via the dnscfg.cgi endpoint, giving attackers direct control over DNS settings without credentials or user interaction.
Once altered, DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise affecting every device behind the router. Because the impacted D-Link DSL models are end of life and unpatchable, organizations that continue to operate them face elevated operational risk.
Follow us on Google News, Twitter, and LinkedIn to stay updated with our latest security insights and exclusive content.
