Background
A critical security vulnerability has been identified in legacy D-Link DSL gateway routers,
tracked as CVE-2026-0625 with a CVSS score of 9.3. The vulnerability
stems from improper sanitization of user-supplied input in the dnscfg.cgi endpoint,
enabling unauthenticated command injection and remote code execution. Active exploitation of
this flaw has been observed in the wild, targeting multiple firmware variants released between
2016 and 2019.
Affected Products
The following D-Link DSL gateway router models and firmware versions are known or suspected to
be affected:
- D-Link DSL-2640B – Firmware versions ≤ 1.07
- D-Link DSL-2740R – Firmware versions < 1.17
- D-Link DSL-2780B – Firmware versions ≤ 1.01.14
- D-Link DSL-526B – Firmware versions ≤ 2.01
Some of the affected devices have reached end-of-life (EoL) status and no longer receive
security updates from the vendor.
Impact
Exploitation of this vulnerability allows an unauthenticated remote attacker to execute
arbitrary system commands and alter DNS configurations. This may lead to DNS hijacking,
redirection of network traffic, interception of sensitive communications, or complete service
disruption for all devices connected behind the affected router. Due to the end-of-life status
of several impacted models, affected systems may remain persistently compromised.
Recommendations
Users and organizations operating affected devices are strongly advised to immediately retire
and replace them with supported router models that receive regular firmware and security
updates. Where replacement is not immediately possible, administrators should restrict
external access to management interfaces, closely monitor DNS settings for unauthorized
changes, and consider isolating affected devices from critical networks.