Executive Summary

A critical zero-day command injection vulnerability, CVE-2026-0625, is being actively exploited in multiple discontinued D-Link DSL routers. The flaw carries a CVSS score of 9.3 and allows for unauthenticated remote code execution (RCE). Threat actors are leveraging this vulnerability to execute arbitrary shell commands on affected devices. D-Link has confirmed the issue but has stated that no patches will be released because the impacted models have reached their end-of-life (EOL). Security researchers and D-Link are urging all users of the affected routers to immediately decommission and replace them to prevent their networks from being compromised.

Vulnerability Details

The vulnerability is an OS command injection flaw located in the dnscfg.cgi Common Gateway Interface (CGI) script. This script is part of the router's web-based management interface and is responsible for processing DNS configuration changes. The script fails to properly sanitize or validate user-supplied input before passing it to a system command. A remote, unauthenticated attacker can craft a malicious HTTP request to this endpoint, injecting arbitrary shell commands that will be executed on the router's underlying operating system with root privileges.

Affected Systems

While D-Link is still conducting a full firmware review, the following models are known or suspected to be vulnerable:

• DSL-2740R
• DSL-2640B
• DSL-2780B
• DSL-526B
• Other discontinued DSL gateway models.

Exploitation Status

This is a zero-day vulnerability with confirmed active exploitation in the wild. The Shadowserver Foundation has observed exploitation attempts dating back to at least late November 2025. The attacks are consistent with "DNSChanger" campaigns, where attackers modify the router's DNS settings to redirect user traffic to malicious sites for phishing, ad-fraud, or malware delivery. The vulnerability was reported to D-Link on December 16, 2025, by researchers at VulnCheck who had also observed live exploitation.

Technical Analysis

The exploit is straightforward for an attacker to execute. They simply need to send a crafted request to the vulnerable endpoint. For example:

GET /dnscfg.cgi?service_name=wan&ifname=br0&dns_server_ip=8.8.8.8;`[malicious_command]`

The router's firmware concatenates the dns_server_ip parameter into a shell command without validation, allowing the backticks and the enclosed command to be executed by the system. Compromised routers can be absorbed into botnets for DDoS attacks, used as proxies for further malicious activity, or leveraged to intercept and manipulate the owner's internet traffic.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application: The attack targets a vulnerability in the router's web management interface.
• T1203 - Exploitation for Client Execution: The vulnerability leads to code execution on the edge device.
• T1059.004 - Command and Scripting Interpreter: Unix Shell: The payload is executed via command injection into the device's shell.
• T1565.003 - Data Manipulation: Stored Data Manipulation: Attackers modify the DNS settings on the router, a form of stored data manipulation.

Impact Assessment

The impact of this vulnerability is high for any individual or small business still using these EOL devices. A successful exploit grants an attacker full control over the router, which is the gateway to the local network. Potential consequences include:

• Traffic Interception: Attackers can perform man-in-the-middle attacks, stealing credentials, session cookies, and other sensitive data.
• Phishing and Malware Delivery: By controlling DNS, attackers can redirect users to fake websites for credential harvesting or to sites that deliver malware.
• Botnet Enlistment: The compromised router can be used as part of a larger botnet to conduct DDoS attacks or send spam.
• Internal Network Pivoting: An attacker could use the compromised router to scan and attack other devices on the local network.

Since no patch will be provided, these devices will remain perpetually vulnerable.

Cyber Observables for Detection

Mitigation

There is no patch for this vulnerability. The only effective mitigation is to immediately disconnect, retire, and replace any affected D-Link router.

1. Identify Affected Devices: All organizations and individuals should audit their network hardware to identify if any of the vulnerable D-Link models are in use.
2. Decommission: Immediately disconnect any identified vulnerable router from the internet.
3. Replace: Replace the EOL device with a modern, supported router from a reputable vendor that provides regular security updates.
4. Network Segmentation: As a general best practice, do not expose the management interface of any router or network device to the public internet. Access should be restricted to the internal LAN only. This is a core principle of D3FEND's D3-NI - Network Isolation.