Remote code execution in unsupported D-Link DSL gateways
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2026-0625 |
| CWE-ID | CWE-78 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
DSL-526B Hardware solutions / Routers for home users DSL-2780B Hardware solutions / Routers for home users DSL-2740R Hardware solutions / Routers for home users DSL-2640B Hardware solutions / Routers & switches, VoIP, GSM, etc |
| Vendor | D-Link |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) OS command injection
EUVDB-ID: #VU121021
Risk: Critical
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2026-0625
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the dnscfg.cgi endpoint. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
MitigationAccording to D-Link, the vulnerability is fixed only in the DSL-2740R model. All listed device models are no longer supported by the vendor and are not expected to receive security updates.
Vulnerable software versionsDSL-526B: All versions
DSL-2640B: All versions
DSL-2780B: All versions
DSL-2740R: before 1.17
CPE2.3- cpe:2.3:h:d-link:dsl-526b:*:*:*:*:*:*:*:*
- cpe:2.3:h:d-link:dsl-2640b:*:*:*:*:*:*:*:*
- cpe:2.3:h:d-link:dsl-2780b:*:*:*:*:*:*:*:*
- cpe:2.3:h:d-link:dsl-2740r:*:*:*:*:*:*:*:*
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
