top of page
Search

Exploiting Critical RCE Vulnerability in Outdated D-Link DSL Routers

  • Jan 7
  • 2 min read

Key Findings


  • Hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2026-0625 (CVSS score: 9.3), in legacy D-Link DSL routers.

  • The flaw is an improper neutralization of special elements used in an OS Command, allowing unauthenticated remote attackers to inject and execute arbitrary shell commands.

  • The vulnerable endpoint, dnscfg.cgi, is also associated with unauthenticated DNS modification ("DNSChanger") behavior documented by D-Link.

  • Exploitation attempts were first detected by the Shadowserver Foundation on November 27, 2025.

  • Affected models have reached end-of-life status as early as 2020, making them unpatchable.

  • The identity of the threat actors and the scale of the hacking campaigns remain unknown.


Background


D-Link, a major networking equipment manufacturer, has disclosed a critical security vulnerability in its legacy DSL routers that is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-0625, is a case of command injection in the "dnscfg.cgi" endpoint due to improper sanitization of user-supplied DNS configuration parameters.


Technical Details


  • The vulnerability allows an unauthenticated remote attacker to inject and execute arbitrary shell commands, resulting in remote code execution.

  • The affected endpoint is also associated with unauthenticated DNS modification ("DNSChanger") behavior, which has been previously documented by D-Link.

  • Exploitation attempts targeting CVE-2026-0625 were recorded by the Shadowserver Foundation on November 27, 2025.


Impact and Affected Devices


  • Some of the impacted devices have reached end-of-life (EoL) status as early as 2020, making them unpatchable.

  • The affected models include DSL-2640B <= 1.07, DSL-2740R < 1.17, DSL-2780B <= 1.01.14, and DSL-526B <= 2.01.


Vendor Response


  • D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, about active exploitation of the "dnscfg.cgi" endpoint.

  • The company is reviewing the affected models and plans to publish an updated list of specific devices and firmware versions under review later this week.

  • D-Link cited complexities in accurately determining affected models due to variations in firmware implementations and product generations.


Recommendations


  • Users should replace the affected legacy D-Link DSL routers with supported devices that receive regular firmware and security updates.

  • The vulnerability enables unauthenticated remote code execution and DNS hijacking, posing a severe risk to devices and networks that continue to use the vulnerable routers.


Sources


  • https://securityaffairs.com/186616/hacking/hackers-actively-exploit-critical-rce-flaw-in-legacy-d-link-dsl-routers.html

  • https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html

  • https://securityonline.info/cve-2026-0625-critical-actively-exploited-rce-hits-unpatchable-d-link-routers/

  • https://ground.news/article/new-d-link-flaw-in-legacy-dsl-routers-actively-exploited-in-attacks

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page