CVE-2026-0625

Name of the Vulnerable Software and Affected Versions D-Link DSL-2640B version 1.07 and earlier D-Link DSL-2740R version 1.17 and earlier D-Link DSL-2780B version 1.01.14 and earlier D-Link DSL-526B version 2.01 and earlier D-Link DSL routers (affected versions not specified)

Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the

dnscfg.cgi

endpoint due to insufficient sanitization of user-supplied DNS configuration parameters. This allows an unauthenticated remote attacker to inject and execute arbitrary shell commands, resulting in remote code execution. The vulnerability has been actively exploited in the wild since November 2025, with exploitation patterns resembling previous DNS hijacking campaigns (such as "GhostDNS" or "DNSChanger"). Many affected devices are end-of-life and no longer receive security updates. The estimated number of potentially affected devices is not specified. Exploitation of this flaw can lead to full network compromise, traffic redirection, and potential botnet recruitment. The

dnscfg.cgi

endpoint is used for DNS configuration.

Recommendations For DSL-2640B version 1.07 and earlier, replace the device with a supported model. For DSL-2740R version 1.17 and earlier, replace the device with a supported model. For DSL-2780B version 1.01.14 and earlier, replace the device with a supported model. For DSL-526B version 2.01 and earlier, replace the device with a supported model. For all other affected D-Link DSL routers, replace the device with a supported model.