A critical command injection vulnerability tracked as CVE-2026-0625 is being actively exploited in the wild, targeting numerous legacy D-Link DSL routers and gateways that reached end-of-life (EOL) years ago.
The flaw allows unauthenticated remote attackers to execute arbitrary shell commands via a DNS configuration endpoint, enabling full remote code execution (RCE).
D-Link Systems, Inc. is a Taiwan-based global manufacturer of networking hardware, best known for its home and small business routers.
The vulnerability was discovered and reported by the cybersecurity firm VulnCheck on December 16, 2025, after observing real-world exploitation attempts in live environments. The exploitation was connected to on a long-standing issue with a compromised CGI library used in multiple D-Link router models. Evidence of exploitation was independently confirmed by the Shadowserver Foundation, which first observed attack activity on November 27, 2025.
CVE-2026-0625 is tied to improper sanitization in the dnscfg.cgi endpoint, part of the router’s web configuration interface. This allows attackers to inject shell commands into DNS configuration parameters without requiring authentication, leading to full system compromise. The vulnerability was scored 9.3 (Critical) on the CVSS v4 scale.
This flaw belongs to the broader family of GhostDNS and DNSChanger attacks. Initially documented in 2018 and 2019, these campaigns targeted home and carrier-grade routers using similar tactics, brute-forcing credentials or exploiting unprotected CGI scripts to hijack DNS settings for traffic interception and data theft. GhostDNS was known to include over 100 scripts across a sprawling infrastructure of more than 100 command-and-control servers.
Affected devices and scope
D-Link’s latest advisory identifies at least 18 distinct router and NAS models affected by CVE-2026-0625, all of which are EOL/EOS and no longer receive security updates. Most of these devices were widely deployed between 2010 and 2016, with heavy usage across consumer and small office networks.
The impacted models include:
- DSL-526B (≤ v2.01)
- DSL-2640B (≤ v1.07)
- DSL-2740R (< v1.17)
- DSL-2780B (≤ v1.01.14)
Additionally, the following devices are listed in connection with known DNSChanger variants:
- DSL-2640T, DSL-2740R, DSL-500, DSL-500G, DSL-502G
- DIR-series routers such as DIR-600, DIR-608, DIR-610, DIR-611, DIR-615, DIR-905L
- ShareCenter NAS devices including DNS-320, DNS-325, DNS-345
These devices are no longer supported and, according to D-Link, no future patches or mitigations will be released for them. Many of these older models, especially budget DSL routers, have been widely deployed by ISPs and home users in the past decades.
D-Link’s advisory urges users of the affected models to retire these devices immediately. D-Link explicitly states that continued use of these routers constitutes a security risk, and any remaining users should consider device replacement as the only viable defense.
Leave a Reply