Ethical Hacking News
A recently discovered flaw in legacy D-Link DSL routers has been found to be actively exploited by threat actors, allowing remote code execution. Devices up to 2020 models have reached end-of-life status due to this issue and are no longer supported with firmware updates.
Legacy D-Link DSL routers are vulnerable to CVE-2026-0625 due to improper input sanitization.Attackers can exploit the vulnerability remotely to execute arbitrary shell commands and achieve remote code execution.The vulnerability affects certain device models and firmware versions, including those that have reached end-of-life.D-Link advises users to retire and replace affected devices or use non-critical networks with restrictive security settings.Regular vulnerability assessments and device retirement strategies are crucial for minimizing exposure to such critical vulnerabilities.
In a recent announcement, cybersecurity experts have exposed a critical vulnerability in multiple legacy DSL routers from D-Link, a well-known networking equipment provider. This vulnerability, identified as CVE-2026-0625, has been reported to be actively exploited by threat actors in various attacks.
According to the information provided, this issue arises due to an improper input sanitization in a CGI library found within the dnscfg.cgi endpoint of these routers. This problem can be exploited remotely, allowing attackers to execute arbitrary shell commands and potentially achieve remote code execution on vulnerable devices.
The vulnerability was first reported by VulnCheck, a company specializing in providing vulnerability intelligence, who notified D-Link about the issue on December 15th. Following this report, Shadowserver Foundation observed an attempt at exploiting the vulnerability on one of its honeypots, capturing some techniques used in such attacks but without publicly documenting them.
D-Link has since confirmed that certain device models and firmware versions are affected by CVE-2026-0625, including the DSL-526B up to 2.01, the DSL-2640B up to 1.07, the DSL-2740R less than 1.17, and the DSL-2780B less than or equal to 1.01.14. These models have reached end-of-life (EoL) since 2020 and are no longer supported by D-Link with new firmware updates for CVE-2026-0625.
It is worth noting that exploiting this vulnerability may require specific configurations, such as allowing remote access to administrative CGI endpoints like dnscfg.cgi. Most consumer router setups restrict access to these endpoints, making it less likely for an attacker to exploit the vulnerability without further planning and setup.
In light of this discovery, D-Link strongly advises users to retire and replace their affected devices with supported models or deploy them in non-critical networks using the latest available firmware version and restrictive security settings. Without ongoing support from D-Link due to reaching EoL status, these devices no longer receive updates or patches for CVE-2026-0625.
Furthermore, cybersecurity experts emphasize the importance of regular vulnerability assessments and device retirement strategies for network equipment to minimize exposure to such critical vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/New-D-Link-Legacy-Router-Flaw-Exposed-Vulnerability-Allows-for-Remote-Code-Execution-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-d-link-flaw-in-legacy-dsl-routers-actively-exploited-in-attacks/
https://cybersecuritynews.com/cisa-d-link-routers-vulnerability/
https://gbhackers.com/cisa-issues-alert-on-d-link-path-traversal-flaw/
https://nvd.nist.gov/vuln/detail/CVE-2026-0625
https://www.cvedetails.com/cve/CVE-2026-0625/
Published: Tue Jan 6 14:02:20 2026 by llama3.2 3B Q4_K_M
