Actively Exploited D-Link Router Flaw Enables Unauthenticated Remote Code Execution
Critical Vulnerability Under Active Exploitation
Cybersecurity researchers have confirmed active exploitation of a critical security flaw affecting multiple legacy D-Link DSL gateway routers, allowing attackers to execute arbitrary commands without authentication.
The vulnerability, tracked as CVE-2026-0625 and rated CVSS 9.3, is a command injection issue in the dnscfg.cgi endpoint, caused by improper sanitization of user-supplied DNS configuration parameters.
“An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution,” VulnCheck warned.
DNS Hijacking and Remote Code Execution
The vulnerable dnscfg.cgi endpoint is responsible for DNS configuration and has historically been abused in DNSChanger-style attacks, where adversaries modify router DNS settings to silently redirect traffic.
According to VulnCheck and Field Effect, exploitation enables attackers to:
- Execute shell commands remotely
- Modify DNS settings without credentials
- Redirect, intercept, or block internet traffic
- Persistently compromise all downstream devices
Because the attack requires no authentication and no user interaction, exposed devices are particularly high risk.
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Affected D-Link Models (End of Life)
The issue impacts multiple end-of-life (EoL) D-Link DSL routers, many of which stopped receiving security updates in early 2020:
- DSL-2640B ≤ 1.07
- DSL-2740R < 1.17
- DSL-2780B ≤ 1.01.14
- DSL-526B ≤ 2.01
The Shadowserver Foundation recorded real-world exploitation attempts targeting CVE-2026-0625 on November 27, 2025, confirming in-the-wild abuse.
D-Link Response and Ongoing Investigation
D-Link acknowledged the issue after receiving a report from VulnCheck on December 16, 2025, and said it launched an internal investigation into historical and current use of the vulnerable CGI component.
The company noted challenges in determining affected models due to:
- Firmware variations across regions
- Multiple product generations
- Lack of reliable model identification without direct firmware inspection
“Current analysis shows no reliable model number detection method beyond direct firmware inspection,” D-Link said.
An updated list of affected devices is expected once the firmware review is complete.
Trending: Offensive Security Tool: FormPoison
Elevated Risk for Unpatchable Devices
Security experts warn that the threat is especially severe because the impacted routers are unpatchable.
“Once altered, DNS entries can silently redirect traffic, resulting in a persistent compromise affecting every device behind the router,” Field Effect said.
Because no security updates are available, the only effective mitigation is device retirement.
Recommended Actions
Organizations and individuals still using affected D-Link DSL routers should:
- Immediately decommission and replace impacted devices
- Upgrade to actively supported routers with regular security updates
- Block remote management access if replacement is temporarily impossible
- Monitor for suspicious DNS behavior on internal networks
With attackers actively exploiting the flaw and no patch path available, continuing to operate these legacy devices poses a significant and ongoing security risk.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Sources: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
