CVE-2026-0625

Name of the Vulnerable Software and Affected Versions D-Link DSL-2640B versions ≤ 1.07 D-Link DSL-2740R versions < 1.17 D-Link DSL-2780B versions ≤ 1.01.14 D-Link DSL-526B versions ≤ 2.01 D-Link DSL gateway devices (affected versions not specified)

Description A critical remote code execution (RCE) vulnerability exists in multiple end-of-life D-Link DSL gateway routers. This flaw, tracked as CVE-2026-0625, is a command injection vulnerability located in the

dnscfg.cgi

endpoint due to insufficient sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary shell commands, potentially gaining full control of the device. This vulnerability has been observed in active exploitation campaigns, with attackers leveraging it for DNS hijacking, similar to past "GhostDNS" or "DNSChanger" attacks. The affected devices are no longer supported and will not receive security updates. Active exploitation of this vulnerability was observed as early as November 2025. The

dnscfg.cgi

endpoint is used for DNS configuration.

Recommendations D-Link DSL-2640B versions ≤ 1.07: Replace the device with a supported model. D-Link DSL-2740R versions < 1.17: Replace the device with a supported model. D-Link DSL-2780B versions ≤ 1.01.14: Replace the device with a supported model. D-Link DSL-526B versions ≤ 2.01: Replace the device with a supported model. D-Link DSL gateway devices (affected versions not specified): Replace the device with a supported model.