Legacy D-Link DSL gateway routers have a recently identified major security issue that is being actively exploited in the field.
The vulnerability, identified as CVE-2026-0625 (CVSS score: 9.3), relates to a command injection situation in the “dnscfg.cgi” endpoint that results from inadequate sanitization of DNS configuration parameters submitted by the user.
“An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution.”
VulnCheck advised.
“The affected endpoint is also associated with unauthenticated DNS modification (‘DNSChanger’) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019.”
In a separate alert, D-Link stated that it started an internal investigation after receiving a complaint from VulnCheck on December 16, 2025, regarding the active exploitation of “dnscfg.cgi,” and that it is attempting to determine the past and present usage of the CGI library in all of its product offerings.
Additionally, it mentioned the difficulties in precisely identifying impacted models because to differences in firmware implementations and product versions. After a firmware-level assessment is finished, an updated list of particular models is anticipated to be released later this week.
“Current analysis shows no reliable model number detection method beyond direct firmware inspection,”
D-Link said.
“For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation.”
The scope of these efforts and the identity of the threat actors taking advantage of the vulnerability are currently unknown. It’s crucial for device owners to retire their phased-out DSL gateway equipment and switch to actively maintained devices that get frequent firmware and security upgrades because the vulnerability affects such products.
