Critical D-Link Router Vulnerability CVE-2026-0625 Under Active Exploitation Worldwide

0

D-Link router vulnerability reports confirm active exploitation of a critical remote code execution flaw in legacy DSL gateways. Tracked as CVE-2026-0625, it carries a CVSS 9.3 rating.

The bug stems from improper input sanitization in dnscfg.cgi, enabling unauthenticated command injection through DNS parameters. Attackers can execute arbitrary commands without credentials.

Telemetry shows live targeting as D-Link reviews affected firmware. Several impacted models are end-of-life, limiting remediation to device retirement and replacement.

D-Link router vulnerability: What You Need to Know

• Unauthenticated RCE via dnscfg.cgi enables DNS hijacking; retire affected D-Link DSL routers immediately.

D-Link router vulnerability

The D-Link router vulnerability enables command injection through dnscfg.cgi, leading to unauthorized code execution and silent DNS changes that affect all devices behind the gateway. This path enables persistent compromise via DNS manipulation and remote code execution.

The technique mirrors earlier DNSChanger-style campaigns that targeted consumer and small-office routers.

Similar exploitation waves have abused weak configurations and IoT flaws, including activity tied to Mirai botnet targeting default router passwords and vulnerabilities such as credential exploits in Four-Faith routers and the Edimax camera zero-day leveraged by Mirai.

What is CVE-2026-0625?

CVE-2026-0625 is a critical command injection flaw in legacy D-Link DSL routers. With a CVSS 9.3 score, it allows remote attackers to run shell commands by abusing unsanitized DNS settings submitted to dnscfg.cgi.

The D-Link router vulnerability aligns with unauthenticated DNS modification behaviors observed in campaigns between 2016 and 2019 against models including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B.

Researchers observed CVE-2026-0625 exploitation attempts on November 27, 2025. The D-Link router vulnerability remains under investigation, and the identities of threat actors and total scope are not yet confirmed.

How dnscfg.cgi is being abused

Attackers submit crafted DNS parameters to dnscfg.cgi to inject shell commands, achieving remote code execution without authentication. This also enables covert DNS changes, raising the risk of D-Link DSL router DNS hijacking.

Traffic may be redirected, intercepted, or blocked, extending compromise to every downstream device.

In practice, the D-Link router vulnerability gives adversaries both a persistent foothold on the gateway and control over DNS resolution, which can facilitate phishing, malware delivery, and command-and-control traffic shaping.

Affected models and firmware status

Several affected devices reached end-of-life (EoL) in early 2020, including:

• DSL-2640B firmware versions ≤ 1.07
• DSL-2740R firmware versions < 1.17
• DSL-2780B firmware versions ≤ 1.01.14
• DSL-526B firmware versions ≤ 2.01

D-Link initiated a firmware-level review to produce a definitive model list. The company notes model numbers alone are insufficient for detection; direct firmware inspection is required.

Validation spans legacy and supported platforms. Given this uncertainty, treat the D-Link router vulnerability with urgency.

Detection and investigation timeline

Telemetry from late November 2025 recorded CVE-2026-0625 exploitation attempts. D-Link initiated an internal investigation following a report on December 16, 2025, and is analyzing historical and current CGI library usage across its portfolio.

While clarification is pending, CVE-2026-0625 exploitation remains an active risk.

Immediate actions for owners

Because multiple models are EoL and unpatchable, the safest response is retirement and replacement. For temporary operation, reduce risk aggressively:

• Replace with supported hardware receiving updates; monitor vendor advisories.
• Disable internet-facing remote administration; restrict management to trusted subnets.
• Continuously verify DNS settings; investigate unexpected changes immediately.
• Segment legacy devices to limit blast radius until decommissioned.

For broader context on router-targeting campaigns, review analyses of D-Link router exploits and botnet activity and how botnets abuse weak router configurations. As you modernize, align controls with zero-trust architecture for network security.

Operational implications of the current attacks

Public scrutiny and vendor investigation can accelerate asset inventory, prioritization, and replacement of vulnerable gear.

Telemetry signaling CVE-2026-0625 exploitation, combined with D-Link’s firmware review, helps defenders assess exposure and act. The D-Link router vulnerability now catalyzes overdue upgrades and tighter edge controls.

However, disadvantages are significant. Many devices are EoL and unpatched, leaving owners exposed to DNS hijacking and remote code execution. The absence of reliable model-based detection without firmware inspection complicates triage and procurement.

The D-Link router vulnerability keeps downstream users at risk until hardware is replaced.

Conclusion

The D-Link router vulnerability tracked as CVE-2026-0625 enables unauthenticated command injection via dnscfg.cgi, driving remote code execution and DNS manipulation. Active targeting is confirmed.

With multiple D-Link DSL models beyond support, retiring and replacing affected routers is the most reliable mitigation. If continued use is unavoidable, restrict management exposure and verify DNS settings frequently.

Monitor forthcoming D-Link firmware guidance and watch for signs of CVE-2026-0625 exploitation. Prioritized upgrades and zero-trust controls will reduce exposure at the network edge.

Questions Worth Answering

What is CVE-2026-0625?

– A critical dnscfg.cgi command injection bug in legacy D-Link DSL routers enabling unauthenticated remote code execution via malicious DNS parameters.

Which models are affected?

– Campaigns targeted DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B; several are EoL. D-Link will publish a final list after firmware review.

How serious is the D-Link router vulnerability?

– CVSS 9.3 and unauthenticated RCE make it severe. DNS changes can compromise every device behind the router.

Is there a patch for EoL routers?

– No. EoL devices rarely receive fixes. Replace hardware to mitigate the D-Link router vulnerability.

What does “CVE-2026-0625 exploitation” involve?

– Attackers send crafted DNS parameters to dnscfg.cgi, inject shell commands, alter DNS settings, and deploy payloads without user interaction.

What is D-Link DSL router DNS hijacking?

– Changing router DNS to redirect or intercept traffic, enabling phishing, malware distribution, and surveillance across downstream devices.

What immediate steps should owners take?

– Inventory and replace at-risk routers, disable remote admin, restrict management access, and continuously verify DNS configurations.

About D-Link

D-Link is a global networking vendor known for home and small office routers, switches, and wireless solutions.

The company publishes advisories and firmware updates for supported products and investigates reported security issues.

For end-of-life devices, D-Link advises migration to supported hardware to maintain a robust security posture.