Threat actors are actively exploiting a critical command injection vulnerability affecting multiple legacy D-Link DSL gateway routers that have been out of support for several years.
The flaw, tracked as CVE-2026-0625, resides in the dnscfg.cgi endpoint and stems from improper input sanitization in a CGI library, allowing unauthenticated attackers to execute arbitrary commands through crafted DNS configuration parameters.
Vulnerability intelligence firm VulnCheck reported the issue to D-Link on December 15 after The Shadowserver Foundation detected exploitation attempts targeting one of its honeypots. According to VulnCheck, the vulnerability enables unauthenticated remote code execution by allowing attackers to inject and run shell commands on exposed devices.
D-Link has confirmed that several end-of-life models are affected, including the DSL-526B running firmware version 2.01 or earlier, the DSL-2640B with firmware 1.07 or earlier, the DSL-2740R with versions below 1.17, and the DSL-2780B with firmware up to version 1.01.14. All of the mentioned devices reached end-of-life status by 2020 and will not receive security updates.
“Both D-Link and VulnCheck face complexity in precisely identifying all impacted models due to variations in firmware implementations and product generations. D-Link continues a detailed firmware-level review to determine affected devices. An updated list of specific models and, where applicable, firmware versions under review will be published later this week,” the vendor noted.
Owners of the legacy devices are advised to replace them with actively supported models that receive regular firmware and security updates.