New vulnerability in older D-Link DSL routers being actively used in attacks

Malicious actors are taking advantage of a newly identified command injection vulnerability that impacts several D-Link DSL gateway routers, which have not been supported for years.

This vulnerability, now identified as CVE-2026-0625, affects the dnscfg.cgi endpoint due to inadequate input sanitization in a CGI library. An attacker without authentication could exploit this to run remote commands through DNS configuration parameters.

Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots.

New vulnerability in older D-Link DSL routers being actively used in attacks

VulnCheck informed BleepingComputer that the method observed by Shadowserver seems to lack public documentation.

"An unauthenticated remote attacker can inject and execute arbitrary shell commands, leading to remote code execution," VulnCheck states in the security advisory.

In partnership with VulnCheck, D-Link has identified the following device models and firmware versions as affected by CVE-2026-0625:

• DSL-526B ≤ 2.01

• DSL-2640B ≤ 1.07

• DSL-2740R < 1.17

• DSL-2780B ≤ 1.01.14

These models have been end-of-life (EoL) since 2020 and will not receive firmware updates to address CVE-2026-0625. Therefore, the vendor strongly advises retiring and replacing the affected devices with supported models.

D-Link continues to assess whether any other products are affected by examining various firmware releases.

"Both D-Link and VulnCheck encounter challenges in accurately identifying all impacted models due to variations in firmware implementations and product generations," D-Link explains.

"Current analysis reveals no reliable method for detecting model numbers beyond direct firmware inspection. Consequently, D-Link is validating firmware builds across both legacy and supported platforms as part of the investigation," the vendor states.

At present, it is unclear who is exploiting the vulnerability and which targets are affected. However, VulnCheck notes that most consumer router configurations permit only LAN access to administrative Common Gateway Interface (CGI) endpoints such as dnscfg.cgi.

Exploiting CVE-2026-0625 would require a browser-based attack or a target device set up for remote administration.

Users of end-of-life (EoL) routers and networking devices should replace them with models that are actively supported by the vendor or use them in non-critical networks, preferably segmented, with the latest available firmware version and strict security settings.

D-Link warns users that EoL devices do not receive firmware updates, security patches, or any maintenance.

Author: Nerdcore PC Systems

Tags

Dark web monitoring service

Computer virus

Malware removal tools

Penetration testing services

Cybersecurity threat alerts

Secure browsers

n testing services

Cybersecurity threat alerts

Secure browsers

Malware

malware

Virus removal guides

Trojan removal tools