CVE-2026-0625

Name of the Vulnerable Software and Affected Versions D-Link DSL-2640B versions ≤ 1.07 D-Link DSL-2740R versions < 1.17 D-Link DSL-2780B versions ≤ 1.01.14 D-Link DSL-526B versions ≤ 2.01 D-Link DSL gateway devices (affected versions not specified)

Description A critical remote code execution (RCE) vulnerability exists in multiple end-of-life D-Link DSL gateway routers. This flaw, tracked as CVE-2026-0625, stems from improper input sanitization within the dnscfg.cgi endpoint, allowing unauthenticated attackers to inject and execute arbitrary shell commands. This vulnerability has been observed in active exploitation campaigns since November 2025, mirroring past "DNSChanger" style attacks. Successful exploitation grants attackers full control of the device, potentially leading to DNS hijacking, traffic redirection, and the establishment of botnets. The dnscfg.cgi endpoint is responsible for DNS configuration. The vulnerability allows attackers to send requests disguised as DNS settings, enabling arbitrary command execution. Shadowserver Foundation observed exploitation evidence on 2025-11-27 (UTC).

Recommendations D-Link DSL-2640B versions ≤ 1.07: Replace the device with a supported model. D-Link DSL-2740R versions < 1.17: Replace the device with a supported model. D-Link DSL-2780B versions ≤ 1.01.14: Replace the device with a supported model. D-Link DSL-526B versions ≤ 2.01: Replace the device with a supported model. D-Link DSL gateway devices (affected versions not specified): Replace the device with a supported model.