CVE-2026-0625: Critical Actively Exploited RCE Hits Unpatchable D-Link Routers

Security researchers warn that a critical remote code execution (RCE) vulnerability in legacy D-Link DSL routers is being actively exploited in the wild, leaving thousands of unpatchable devices wide open to total compromise.

The vulnerability, tracked as CVE-2026-0625, carries a blistering CVSS v4.0 score of 9.3, signaling an immediate danger to anyone still relying on this aging hardware.

The flaw resides in the router’s DNS configuration interface, specifically the dnscfg.cgi endpoint. According to a Jan. 5 advisory from VulnCheck, the issue stems from improper input sanitization. Attackers can leverage this oversight to inject arbitrary shell commands directly through the router’s web interface without ever needing to log in.

“An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution,” the advisory warns.

This isn’t the first time this specific component has been targeted. The affected endpoint has historical ties to the infamous DNSChanger attacks documented between 2016 and 2019, suggesting threat actors are dusting off old playbooks to compromise forgotten infrastructure.

The Shadowserver Foundation first observed evidence of active exploitation on November 27, 2025—months before the broader security community was alerted.

This “zero-day” window allowed attackers to potentially amass a botnet of compromised devices or silently manipulate DNS settings to redirect user traffic to malicious sites.

The vulnerability impacts a specific lineup of consumer and small-office DSL gateway routers:

• DSL-526B (Firmware ≤ 2.01)
• DSL-2640B (Firmware ≤ 1.07)
• DSL-2740R (Firmware < 1.17)
• DSL-2780B (Firmware ≤ 1.01.14)

D-Link declared these models End of Life (EOL) in early 2020. Consequently, no security patches are available or planned. The devices are now effectively “abandonware,” permanently vulnerable to this critical flaw.

The only fix is to replace the hardware with a modern, supported device. Continuing to use these legacy gateways is akin to leaving your digital front door wide open.

Related Posts:

• The Unpatchable Leak: Sony’s PS5 Security Crumples as BootROM Keys Hit the Web
• Critical ASUS DSL Router Flaw (CVE-2025-59367, CVSS 9.3) Allows Unauthenticated Remote Access
• OpenWrt Patches ubusd RCE Flaw (CVE-2025-62526) and Kernel Memory Leak (CVE-2025-62525) in DSL Driver
• Outdated and Unblocked: Legacy Driver Vulnerability Exploited in Widespread Attack