Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers

Published:

7 januari 2026 om 04:31:00

Alert date:

7 januari 2026 om 05:01:53

Source:

thehackernews.com

Mobile & IoT, Network Infrastructure, Zero-Day Vulnerabilities

A critical remote code execution vulnerability (CVE-2026-0625) with CVSS score 9.3 is being actively exploited in legacy D-Link DSL gateway routers. The flaw involves command injection in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. Unauthenticated remote attackers can exploit this vulnerability to execute arbitrary commands on affected devices.

Technical details

Critical command injection vulnerability in the dnscfg.cgi endpoint of legacy D-Link DSL routers caused by improper sanitization of user-supplied DNS configuration parameters. Allows unauthenticated remote attackers to inject and execute arbitrary shell commands, resulting in remote code execution. The vulnerability enables DNS hijacking and modification without credentials or user interaction, giving attackers control over DNS settings and ability to redirect, intercept, or block downstream traffic.

Mitigation steps:

Retire affected D-Link DSL devices and upgrade to actively supported devices that receive regular firmware and security updates. Organizations should discontinue use of end-of-life D-Link DSL models as they are unpatchable and face elevated operational risk.

Affected products:

D-Link DSL-2640B <= 1.07
D-Link DSL-2740R < 1.17
D-Link DSL-2780B <= 1.01.14
D-Link DSL-526B <= 2.01