A critical security weakness affecting older D Link DSL gateway routers has come under active exploitation, raising serious concerns for users who continue to rely on legacy networking hardware. The flaw, identified as CVE 2026 0625 and assigned a CVSS severity score of 9.3, allows unauthenticated attackers to remotely execute arbitrary commands on vulnerable devices. Researchers have confirmed that exploitation attempts are already occurring in the wild, targeting routers that are no longer maintained or supported by the vendor.
The vulnerability exists within the dnscfg.cgi endpoint and stems from improper sanitization of user supplied input related to DNS configuration settings. According to VulnCheck, this weakness allows a remote attacker to inject and execute shell commands without authentication, effectively granting full control of the affected device. The same endpoint has historically been associated with DNSChanger style behavior, a technique previously abused in large scale router hijacking campaigns. D Link has acknowledged that similar attacks were observed between 2016 and 2019 against several DSL models, including DSL 2740R, DSL 2640B, DSL 2780B, and DSL 526B, where attackers manipulated DNS settings to redirect network traffic without user awareness.
Evidence of active exploitation was further supported by telemetry from Shadowserver Foundation, which recorded attack activity targeting CVE 2026 0625 on November 27, 2025. Many of the impacted routers reached end of life status as early as 2020, meaning they no longer receive firmware updates or security patches. Known vulnerable firmware versions include DSL 2640B up to version 1.07, DSL 2740R below version 1.17, DSL 2780B up to version 1.01.14, and DSL 526B up to version 2.01. Because these devices are effectively frozen in an insecure state, they present an attractive target for attackers seeking persistent footholds in home and small business networks.
Following disclosure from VulnCheck on December 16, 2025, D Link initiated an internal investigation to assess the scope of the issue and determine whether other products may be affected. The company stated that accurately identifying impacted models has proven complex due to differences in firmware implementations across product generations. D Link noted that there is currently no reliable method to detect affected models based solely on model numbers and that direct firmware inspection is required. As part of this process, the company is reviewing both legacy and supported firmware builds and plans to release an updated list of affected devices once the analysis is complete.
Security experts warn that the risks associated with this vulnerability extend beyond a single compromised router. Field Effect explained that CVE 2026 0625 exposes the same DNS configuration mechanism used in previous widespread DNS hijacking incidents. By altering DNS settings, attackers can silently redirect, intercept, or block internet traffic for every device connected behind the router, creating a persistent and hard to detect compromise. Since the affected D Link DSL routers are end of life and effectively unpatchable, organizations and individuals who continue to operate them face elevated operational and security risks. Researchers strongly advise retiring these devices and replacing them with actively supported hardware that receives regular security updates to reduce exposure to ongoing exploitation campaigns.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
