A recently identified critical vulnerability in legacy D-Link DSL gateway routers is currently being exploited in the wild. This flaw, cataloged as CVE-2026-0625 (with a CVSS score of 9.3), falls under the category of command injection affecting the "dnscfg.cgi" endpoint due to inadequate sanitization of user-provided DNS configuration parameters.
According to security experts from VulnCheck, an unauthenticated remote attacker can leverage this vulnerability to inject and execute arbitrary shell commands, ultimately leading to remote code execution. The potentially affected devices include variants of models such as DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, produced between 2016 and 2019.
The issue is particularly concerning because the Shadowserver Foundation noted exploitation attempts targeting this vulnerability as early as November 27, 2025. Some of the devices in question have been classified as end-of-life since early 2020:
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
- DSL-526B <= 2.01.
In a statement, D-Link acknowledged an ongoing internal investigation initiated after a report from VulnCheck on December 16, 2025. The company is working to assess the historical and current use of the CGI library across all its products, but the variations in firmware implementations make identifying affected models challenging. An updated list specifying vulnerable models will be released following a comprehensive firmware review.
D-Link has emphasized that accurate model detection requires direct firmware inspection, as there are no reliable methods beyond that approach. The scale of exploitation and the identities of the threat actors remain unknown at this time. However, given that the vulnerable routers are outdated, users are strongly advised to retire these devices and upgrade to newer models that receive regular firmware and security updates.
Experts warn that CVE-2026-0625 shares characteristics with DNS hijacking mechanisms previously used in large-scale attacks. This vulnerability not only allows unauthenticated remote execution via the dnscfg.cgi endpoint, but it also gives attackers full control over DNS settings without the need for credentials or user interaction. Modifying DNS entries could facilitate silent traffic redirection, interception, or blocking, resulting in lasting impacts on all devices behind the affected router. Given that these D-Link models are unpatchable, continuing to use them poses heightened operational risks for organizations.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.