Ethical Hacking News
A critical RCE vulnerability has been discovered in legacy D-Link DSL gateway routers, allowing attackers to execute arbitrary shell commands and gain control over DNS settings. This vulnerability is being actively exploited, highlighting the importance of upgrading to supported devices and staying up-to-date with security patches.
A critical security flaw (CVE-2026-0625) has been discovered in legacy D-Link DSL gateway routers.The vulnerability allows unauthenticated remote attackers to inject and execute arbitrary shell commands, resulting in remote code execution.The affected endpoint is associated with unauthenticated DNS modification ('DNSChanger') behavior documented by D-Link.Devices have reached end-of-life (EoL) status as of early 2020, making them vulnerable to exploitation.Device owners should retire their devices and upgrade to actively supported models that receive regular firmware updates.
A new and highly critical security flaw has been discovered in legacy D-Link DSL gateway routers, which is being actively exploited by threat actors worldwide. The vulnerability, identified as CVE-2026-0625 (CVSS score: 9.3), revolves around a case of command injection in the "dnscfg.cgi" endpoint due to improper sanitization of user-supplied DNS configuration parameters.
According to cybersecurity company VulnCheck, this vulnerability allows an unauthenticated remote attacker to inject and execute arbitrary shell commands, resulting in remote code execution. The impact of this vulnerability is significant, as it enables an attacker to gain direct control over DNS settings without requiring any credentials or user interaction.
Furthermore, VulnCheck noted that the affected endpoint is also associated with unauthenticated DNS modification ('DNSChanger') behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. These devices have reached end-of-life (EoL) status as of early 2020.
In an alert of its own, D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, about active exploitation of "dnscfg.cgi," and stated that it's working to identify historical and current use of the CGI library across all its product offerings. However, complexities in accurately determining affected models due to variations in firmware implementations and product generations have hindered the company's efforts.
At this stage, the identity of the threat actors exploiting the flaw and the scale of such efforts are not known. Given that the vulnerability impacts DSL gateway products that have been phased out, it is crucial for device owners to retire them and upgrade to actively supported devices that receive regular firmware and security updates.
The discovery of CVE-2026-0625 exposes the same DNS configuration mechanism leveraged in past large-scale DNS hijacking campaigns. As a result, unauthenticated remote code execution via the dnscfg.cgi endpoint gives attackers direct control over DNS settings without credentials or user interaction. Once altered, DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise affecting every device behind the router.
Organizations that continue to operate these impacted D-Link DSL models face elevated operational risk due to their end-of-life status and unpatchability. This highlights the importance of staying up-to-date with security patches and regularly assessing the vulnerability posture of network devices.
It is essential for users to take proactive measures to protect themselves from this vulnerability, such as retiring legacy devices and migrating to supported alternatives that receive regular firmware updates.
Related Information:
https://www.ethicalhackingnews.com/articles/Ongoing-Attacks-Exploit-Critical-RCE-Vulnerability-in-Legacy-D-Link-DSL-Routers-ehn.shtml
https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html
https://nvd.nist.gov/vuln/detail/CVE-2026-0625
https://www.cvedetails.com/cve/CVE-2026-0625/
Published: Tue Jan 6 23:04:51 2026 by llama3.2 3B Q4_K_M
