OS command injection in D-Link products - CVE-2026-0625
Published: January 7, 2026
Vulnerability identifier: #VU121021
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2026-0625
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: D-Link
Affected software:
DSL-526B
DSL-2780B
DSL-2740R
DSL-2640B
DSL-526B
DSL-2780B
DSL-2740R
DSL-2640B
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the dnscfg.cgi endpoint. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
How to mitigate CVE-2026-0625
According to D-Link, the vulnerability is fixed only in the DSL-2740R model. All listed device models are no longer supported by the vendor and are not expected to receive security updates.