IT Knowledge Bases

CVE-2026-0625: Actively Exploited RCE in Legacy D-Link DSL Routers

Diagram illustrating CVE-2026-0625 unauthenticated remote code execution leading to DNS hijacking and internal network compromise via a vulnerable router

Summary (Why This Matters)

CVE-2026-0625 is a critical, unauthenticated remote code execution (RCE) vulnerability affecting multiple end-of-life D-Link DSL routers. It is actively exploited in the wild. Attackers can take full control of vulnerable routers over the internet, manipulate DNS settings, intercept traffic, and pivot into internal networks.

If one of these routers is still online, there is no compensating control that makes it safe. Replacement is the only realistic fix.

Affected Devices

The vulnerability impacts several legacy D-Link DSL gateway models, including:

  • DSL-2640B
  • DSL-2740R
  • DSL-2780B
  • DSL-526B

These devices are end-of-life (EOL) and no longer receive firmware updates.

Vulnerability Overview

  • CVE ID: CVE-2026-0625
  • Vulnerability Class: Command Injection → Remote Code Execution
  • Attack Vector: Network (HTTP)
  • Authentication Required: None
  • User Interaction: None
  • Impact: Full device compromise

See the official National Vulnerability Database Here: NVD – CVE-2026-0625

Root Cause

The flaw exists in the router’s web management interface, specifically within the dnscfg.cgi endpoint.
User-supplied DNS configuration parameters are not properly sanitized, allowing attackers to inject arbitrary shell commands.

Because the endpoint is accessible without authentication on many exposed devices, exploitation is trivial once the router is reachable from the internet.

Real-World Exploitation

This is not theoretical.

Active exploitation campaigns have been observed doing the following:

  • Executing arbitrary shell commands on routers
  • Hijacking DNS settings to redirect traffic
  • Performing man-in-the-middle attacks
  • Enrolling compromised routers into botnets
  • Using the router as a foothold to attack internal devices

These attacks disproportionately affect home users, small offices, and remote workers, where legacy DSL hardware is often forgotten but still online.

Why This Is Especially Dangerous

Routers sit at a trusted choke point in the network. Once compromised, attackers can:

  • Intercept credentials and session cookies
  • Redirect traffic to phishing pages
  • Bypass endpoint protections
  • Attack systems that are otherwise not internet-exposed

Unlike endpoint malware, router compromise is largely invisible to users.

Mitigation and Response

There Is No Patch

D-Link has confirmed these models are end-of-life. No firmware update will be released.

Required Actions

If you manage or own one of these devices:

  1. Disconnect it from the internet immediately
  2. Replace it with a supported router
  3. Reset all credentials used on the network
  4. Assume DNS-based interception may have occurred
  5. Inspect internal systems for secondary compromise

What Does Not Work

  • Port forwarding restrictions
  • Firewall rules alone
  • Changing admin passwords

If the management interface is exposed, the device is vulnerable.

Defensive Lessons (Beyond This CVE)

This vulnerability reinforces several hard truths:

  • EOL network devices are security liabilities
  • Routers should never expose management interfaces to the internet
  • DNS manipulation is a powerful and underestimated attack vector
  • “It’s just a home router” is not a valid risk assessment

Key Takeaways

  • CVE-2026-0625 is actively exploited in the wild
  • It enables unauthenticated remote code execution
  • Affected D-Link DSL routers cannot be patched
  • Replacement is the only safe mitigation
  • Router compromise enables silent, high-impact attacks

Need a new router quick? try the AXE5400… Heads up, buying this will support us as well!

more content like this? CVE-2026-21858: Critical Unauthenticated RCE in n8n (“Ni8mare”)

David Wolfcale

Leave a Reply