top of page
Search

Exploiting Critical RCE Vulnerability in Outdated D-Link DSL Routers

  • Jan 7
  • 2 min read

Key Findings


  • Hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2026-0625 (CVSS score: 9.3), in legacy D-Link DSL routers.

  • The flaw is an improper neutralization of special elements used in an OS Command, allowing unauthenticated remote attackers to inject and execute arbitrary shell commands.

  • The vulnerable endpoint, dnscfg.cgi, is also associated with unauthenticated DNS modification ("DNSChanger") behavior documented by D-Link.

  • Exploitation attempts were first detected by the Shadowserver Foundation on November 27, 2025.

  • Affected models have reached end-of-life status as early as 2020, making them unpatchable.

  • The identity of the threat actors and the scale of the hacking campaigns remain unknown.


Background


D-Link, a major networking equipment manufacturer, has disclosed a critical security vulnerability in its legacy DSL routers that is being actively exploited in the wild. The vulnerability, tracked as CVE-2026-0625, is a case of command injection in the "dnscfg.cgi" endpoint due to improper sanitization of user-supplied DNS configuration parameters.


Technical Details


  • The vulnerability allows an unauthenticated remote attacker to inject and execute arbitrary shell commands, resulting in remote code execution.

  • The affected endpoint is also associated with unauthenticated DNS modification ("DNSChanger") behavior, which has been previously documented by D-Link.

  • Exploitation attempts targeting CVE-2026-0625 were recorded by the Shadowserver Foundation on November 27, 2025.


Impact and Affected Devices


  • Some of the impacted devices have reached end-of-life (EoL) status as early as 2020, making them unpatchable.

  • The affected models include DSL-2640B <= 1.07, DSL-2740R < 1.17, DSL-2780B <= 1.01.14, and DSL-526B <= 2.01.


Vendor Response


  • D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, about active exploitation of the "dnscfg.cgi" endpoint.

  • The company is reviewing the affected models and plans to publish an updated list of specific devices and firmware versions under review later this week.

  • D-Link cited complexities in accurately determining affected models due to variations in firmware implementations and product generations.


Recommendations


  • Users should replace the affected legacy D-Link DSL routers with supported devices that receive regular firmware and security updates.

  • The vulnerability enables unauthenticated remote code execution and DNS hijacking, posing a severe risk to devices and networks that continue to use the vulnerable routers.


Sources


  • https://securityaffairs.com/186616/hacking/hackers-actively-exploit-critical-rce-flaw-in-legacy-d-link-dsl-routers.html

  • https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html

  • https://securityonline.info/cve-2026-0625-critical-actively-exploited-rce-hits-unpatchable-d-link-routers/

  • https://ground.news/article/new-d-link-flaw-in-legacy-dsl-routers-actively-exploited-in-attacks

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page