A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the “dnscfg.cgi” endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters.
“An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution,” VulnCheck noted in an advisory.
“The affected endpoint is also associated with unauthenticated DNS modification (‘DNSChanger’) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019.”
The cybersecurity company also noted that exploitation attempts targeting CVE-2026-0625 were recorded by the Shadowserver Foundation on November 27, 2025. Some of the impacted devices have reached end-of-life (EoL) status as of early 2020 –
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
- DSL-526B <= 2.01
In an alert of its own, D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, about active exploitation of “dnscfg.cgi,” and that it’s working to identify historical and current use of the CGI library across all its product offerings.
It also cited complexities in accurately determining affected models due to variations in firmware implementations and product generations. An updated list of specific models is expected to be published later this week once a firmware-level review is complete.
“Current analysis shows no reliable model number detection method beyond direct firmware inspection,” D-Link said. “For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation.”
At this stage, the identity of the threat actors exploiting the flaw and the scale of such efforts are not known. Given that the vulnerability impacts DSL gateway products that have been phased out, it’s important for device owners to retire them and upgrade to actively supported devices that receive regular firmware and security updates.
“CVE-2026-0625 exposes the same DNS configuration mechanism leveraged in past large-scale DNS hijacking campaigns,” Field Effect said. “The vulnerability enables unauthenticated remote code execution via the dnscfg.cgi endpoint, giving attackers direct control over DNS settings without credentials or user interaction.”
“Once altered, DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise affecting every device behind the router. Because the impacted D-Link DSL models are end of life and unpatchable, organizations that continue to operate them face elevated operational risk.”
