Critical D-Link Router Vulnerability Actively Exploited
Table of Contents
A critical security vulnerability,tracked as CVE-2026-0625, is currently being actively exploited in the wild, impacting legacy D-Link DSL gateway routers. The vulnerability, which carries a CVSS score of 9.3, allows for unauthenticated remote code execution.
Understanding the Vulnerability
The flaw is a command injection vulnerability located in the dnscfg.cgi endpoint. This occurs because user-supplied DNS configuration parameters are not properly sanitized. An attacker can exploit this by injecting arbitrary shell commands, effectively gaining control of the affected device. VulnCheck details this allows for remote code execution.
This vulnerability is linked to previously documented DNS modification behavior,known as ‘DNSChanger,’ affecting several D-link models between 2016 and 2019. D-Link previously documented campaigns exploiting this related functionality.
Affected Devices
Exploitation attempts were first recorded by the Shadowserver Foundation on November 27, 2025. The following D-Link DSL gateway models are currently confirmed to be affected:
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
- DSL-526B <= 2.01
D-Link has initiated an investigation following reports from VulnCheck on December 16, 2025, and is working to identify all potentially vulnerable products. As of January 7, 2026, a complete list of affected models is pending a complete firmware review. D-Link notes there is currently no reliable method to identify impacted models beyond direct firmware inspection.
Impact and Risks
Accomplished exploitation of CVE-2026-0625 allows attackers to hijack DNS settings without authentication. Field Effect explains that this can led to redirection, interception, or blocking of network traffic, potentially compromising every device connected to the router.
Because many of the affected models are end-of-life and will not receive security updates,users are at significant risk. Attackers could leverage this vulnerability for widespread DNS hijacking campaigns,similar to those seen in the past.
Mitigation and Recommendations
Given the severity of the vulnerability and the lack of available patches for many impacted models, the most effective mitigation is to:
- Retire Affected Devices: Replace any vulnerable D-Link DSL gateway router with a currently supported model that receives regular security updates.
- Network Segmentation: If replacement is not immediately possible, isolate thes devices on a separate network segment to limit potential damage.
- monitor Network Traffic: Watch for suspicious DNS activity that could indicate a compromise.
Organizations should prioritize the replacement of these end-of-life devices to minimize their exposure to this and other potential security threats.