CVE-2026-0625: Critical Vulnerability in Legacy D-Link DSL Gateway Devices

What Is CVE-2026-0625?

CVE-2026-0625 is a critical command injection vulnerability found in the DNS configuration interface of several older D-Link DSL gateway models. The flaw exists because the router firmware does not properly validate user-supplied parameters related to DNS settings, specifically in the dnscfg.cgi endpoint. This allows a remote attacker to inject and execute arbitrary shell commands without authentication.

A threat actor anywhere on the internet or within a local network can send specially crafted requests to the device and gain remote code execution, effectively taking over the router.

Which Routers Are Affected?

The vulnerability has been observed in multiple legacy D-Link DSL gateway models that have been out of official support since 2020. These include:

• D-Link DSL-526B with older firmware versions
• D-Link DSL-2640B with older firmware versions
• D-Link DSL-2740R with older firmware versions
• D-Link DSL-2780B with older firmware versions

Due to differences in firmware across product lines it is difficult to produce an exhaustive list of impacted devices.

Why This Vulnerability Is Serious

Security scoring systems rate CVE-2026-0625 as critical, with a CVSS severity score of approximately 9.3 out of 10, making it an urgent threat.

No Authentication Needed

An attacker does not need a password or any access credentials to exploit this flaw. The weakness is in the way the router software parses web interface input. Simply sending specially crafted HTTP requests can trigger remote command execution.

Full Device Control

Once an attacker can run commands on the router they can:

• Change DNS settings to redirect all traffic through malicious servers
• Intercept login credentials for email, banking, or corporate systems
• Install malware on the router or on devices inside the network
• Recruit the router into botnets used for distributed attacks

Exploits Observed in the Wild

Security monitoring groups have observed exploitation attempts against this flaw as early as November 2025, indicating active attacks even before the CVE was widely published.

No Patch Planned

Most affected devices have no firmware update available. D-Link officially declared the impacted models at end-of-life in early 2020, meaning security updates and patches are not being released. Many experts agree this is because the age and architecture of the devices make patching impractical.

What You Can Do

If you or your organization still uses one of these older D-Link DSL routers here are the recommended actions:

Replace the Hardware

The most effective way to mitigate this issue is to retire and replace vulnerable devices with modern routers that receive ongoing security updates.

Restrict Exposure

Until you replace the router limit its exposure by:

• Disabling remote administration if supported
• Placing it behind another firewall or security appliance
• Using strong access controls on your internal network

Network Monitoring

Monitor DNS settings and network traffic patterns. Unexpected DNS changes, traffic redirection, or connections to unexplained hosts should be treated as potential indicators of compromise.

Final Thoughts

CVE-2026-0625 is a stark reminder that outdated edge devices can become permanent attack surfaces if they are not replaced or properly secured. Routers are a critical part of network infrastructure and vulnerabilities at this level can affect every connected device. Security experts strongly recommend auditing your networking hardware and ensuring that no legacy equipment is exposed without protection.

Staying informed about vulnerabilities like this helps protect your network and data from attackers who are constantly looking for the weakest link.