A Critical Security Threat Unveiled: Exploitation of Legacy D-Link DSL Routers
In a pressing issue for network security, a newly identified severe vulnerability in older models of D-Link DSL gateway routers is currently facing active exploitation. This flaw, designated as CVE-2026-0625 with a notable CVSS score of 9.3, pertains to a command injection vulnerability found in the "dnscfg.cgi" endpoint. The root of this security risk stems from inadequate sanitization of DNS configuration parameters provided by users.
According to a recent advisory from VulnCheck, it has been stated that "an unauthenticated remote attacker can inject and execute arbitrary shell commands, leading to remote code execution." This means that attackers can gain control over devices without needing any credentials or legitimate access.
The vulnerable endpoint is linked with a concerning behavior known as unauthenticated DNS modification, also referred to as 'DNSChanger.' Such behavior has previously been documented by D-Link, reporting that exploitation campaigns targeted various firmware versions of models including the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, which were primarily supported from 2016 until 2019.
Further investigations revealed that attempts to exploit this particular vulnerability were noted by the Shadowserver Foundation on November 27, 2025. Alarmingly, some of the impacted router models have been designated as end-of-life (EoL) since early 2020, suggesting they no longer receive updates or support:
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
- DSL-526B <= 2.01
In response to these findings, D-Link initiated an internal review after receiving a report from VulnCheck on December 16, 2025, concerning the ongoing exploitation of the "dnscfg.cgi" file. The company is actively working to track down both historical and current applications of the CGI library across its product line. However, they have expressed challenges in definitively identifying affected models due to differences in firmware versions and the range of product generations.
D-Link has announced that a more precise list of affected models will be made available soon, following a thorough firmware-level evaluation. They’ve indicated, "Current analysis shows no reliable method for detecting model numbers beyond direct inspection of firmware," emphasizing the need for a meticulous validation process across both legacy and currently supported platforms.
At this juncture, the identities of the attackers exploiting this vulnerability and the extent of their activities remain unclear. Given that this security flaw affects outdated DSL gateway products, it is crucial for users to phase out these devices and transition to newer models that are actively maintained and receive regular security updates.
As pointed out by Field Effect, "CVE-2026-0625 exposes the same DNS configuration mechanism exploited in previous large-scale DNS hijacking operations." The vulnerability enables unauthorized remote code execution through the dnscfg.cgi endpoint, granting attackers unprecedented control over DNS settings without requiring user credentials or actions.
Once DNS entries are compromised, they can covertly redirect, intercept, or block network traffic, resulting in ongoing vulnerabilities that affect every device connected behind the compromised router. Organizations still utilizing these obsolete D-Link DSL models face increased operational risks due to their inability to receive essential security patches.
Curious about the implications of these security vulnerabilities? What measures do you think should be taken against using outdated technology? Share your thoughts in the comments!
