A critical command injection vulnerability in several legacy D-Link DSL routers is being actively exploited by threat actors. Tracked as CVE-2026-0625, the flaw resides in the dnscfg.cgi endpoint due to improper input sanitization, allowing unauthenticated attackers to execute arbitrary commands remotely. The issue was reported to D-Link after exploitation attempts were detected on honeypots maintained by The Shadowserver Foundation.
The affected models include the DSL-526B, DSL-2640B, DSL-2740R, and DSL-2780B, all of which reached end-of-life (EoL) status in 2020. As a result, D-Link will not release firmware patches for these devices and strongly recommends replacing them with currently supported models. The vendor is still investigating whether other products might be impacted, noting the difficulty in identifying all vulnerable units due to firmware variations.
Successful exploitation typically requires the router's administrative interface to be accessible from the local network or configured for remote management. Users with these outdated routers should retire them immediately or, if necessary, deploy them only in isolated, non-critical network segments. This incident underscores the persistent security risks of using unsupported hardware that no longer receives security updates.
Read more...