A security advisory from VulnCheck reported that threat actors are exploiting a command injection vulnerability in multiple legacy D-Link DSL gateway routers, tracked as CVE-2026-0625, which targets the _dnscfg.cgi_ endpoint and permits unauthenticated remote command execution.
KEY FACTS
- Vulnerability Command injection in _dnscfg.cgi_ tracked as CVE-2026-0625
- Affected models Four legacy DSL routers with specific firmware version limits
- Support status Devices reached end-of-life in 2020 and will not receive fixes
- Exploitation Active exploitation observed and an exploitation attempt preceded the disclosure
The vulnerability stems from improper input sanitization in a CGI library allowing injection of shell commands via DNS configuration parameters. An unauthenticated attacker can achieve remote code execution by supplying crafted values to the endpoint.
The issue was disclosed on December 15 after an exploitation attempt was recorded on a honeypot. Most consumer router setups allow only LAN access to administrative CGI endpoints such as _dnscfg.cgi_, so exploitation implies either a browser based attack or a device configured for remote administration.
Affected device models and firmware versions include DSL-526B 2.01, DSL-2640B 1.07, DSL-2740R < 1.17, and DSL-2780B 1.01.14, according to a D-Link support announcement.
All listed models reached end-of-life in 2020 and will not receive firmware updates or security patches. Users are advised to replace affected routers with supported models or deploy them only on segmented, non critical networks and apply the latest firmware where available along with restrictive security settings.
WHY IT MATTERS
Unpatched, end-of-life routers with remote code execution flaws can lead to full device compromise and exposure of connected networks. Replacing or isolating affected routers reduces the risk of exploitation.