A critical security vulnerability affecting legacy D-Link DSL gateway routers, identified as CVE-2026-0625, is currently under active exploitation in the wild. The high-severity flaw, with a CVSS score of 9.3, allows unauthenticated remote attackers to inject and execute arbitrary commands, leading to remote code execution. This poses a significant risk to users of these older D-Link devices.
The vulnerability stems from improper sanitization of user-supplied DNS configuration parameters within the “dnscfg.cgi” endpoint. This flaw enables attackers to modify DNS settings, potentially redirecting traffic or intercepting data. The Shadowserver Foundation recorded exploitation attempts targeting CVE-2026-0625 starting in late November 2025, indicating a proactive threat from malicious actors.
Active Exploitation of D-Link DSL Gateway Vulnerability
The newly identified command injection vulnerability, CVE-2026-0625, resides in the “dnscfg.cgi” file on affected D-Link DSL gateway routers. According to advisories, the vulnerability arises from a failure to properly sanitize DNS configuration parameters submitted by users. This oversight allows an unauthenticated remote attacker to bypass security measures and execute arbitrary shell commands on the compromised device.
VulnCheck, a cybersecurity research firm, highlighted that this same DNS configuration mechanism has been used in previous large-scale DNS hijacking campaigns. The ability for attackers to gain direct control over DNS settings without needing credentials or user interaction significantly increases the danger. Once DNS entries are altered, malicious actors can silently redirect, intercept, or block all downstream internet traffic, effectively compromising every device connected to the vulnerable router.
The exploitation of this flaw is particularly concerning because it affects several D-Link DSL router models that have reached their end-of-life (EoL) status. These models include the DSL-2640B (firmware versions up to 1.07), DSL-2740R (firmware versions prior to 1.17), DSL-2780B (firmware versions up to 1.01.14), and DSL-526B (firmware versions up to 2.01). Devices that have reached EoL typically no longer receive security updates or patches, leaving them permanently exposed to known vulnerabilities.
D-Link Investigates and Responds to CVE-2026-0625
D-Link has acknowledged the reports of active exploitation and has initiated an internal investigation into the “dnscfg.cgi” endpoint. Following a report from VulnCheck on December 16, 2025, the company stated it is actively working to identify the extent of historical and current use of this CGI library across its entire product portfolio. This process is complex due to variations in firmware implementations and product generations, making it difficult to pinpoint all affected models without direct firmware inspection.
The company emphasized that accurate model number detection is challenging without examining the firmware itself. Therefore, D-Link is conducting a comprehensive validation of firmware builds across both legacy and currently supported platforms. An updated list of specific affected models is anticipated to be released later this week, pending the completion of this detailed firmware-level review.
Meanwhile, the identity of the threat actors leveraging CVE-2026-0625 and the precise scale of these exploitation efforts remain unknown. Given that the affected devices are older DSL gateway products that are no longer supported, cybersecurity experts strongly advise users to retire these routers. Upgrading to actively supported devices that receive regular firmware and security updates is the most effective way to mitigate the risks associated with this and future vulnerabilities.
Field Effect, another cybersecurity entity, noted that the impact of this vulnerability is persistent. Once DNS settings are compromised on an EoL router, the underlying issue cannot be patched. Organizations continuing to operate these end-of-life D-Link DSL models face significantly elevated operational risks due to their inherent unpatchable nature and susceptibility to ongoing cyber threats.
The ongoing investigation by D-Link is crucial to understanding the full scope of the problem. Users are advised to remain vigilant and check for official communications from D-Link regarding specific model advisories and recommended actions. The situation underscores the importance of maintaining up-to-date network infrastructure to safeguard against evolving cybersecurity threats.