"A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the "dnscfg.cgi" endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters. "An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution," VulnCheck noted in an advisory."
"In an alert of its own, D-Link initiated an internal investigation following a report from VulnCheck on December 16, 2025, about active exploitation of "dnscfg.cgi," and that it's working to identify historical and current use of the CGI library across all its product offerings. It also cited complexities in accurately determining affected models due to variations in firmware implementations and product generations. An updated list of specific models is expected to be published later this week once a firmware-level review is complete."
Legacy D-Link DSL gateway routers contain a critical command-injection vulnerability tracked as CVE-2026-0625 in the dnscfg.cgi endpoint due to improper sanitization of DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, enabling remote code execution. Exploitation attempts were observed in the wild and recorded by Shadowserver on November 27, 2025. Affected firmware variants include DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B from 2016–2019, and some impacted devices reached end-of-life in early 2020. D-Link initiated an investigation, is validating firmware builds, and expects to publish an updated model list after review. Accurate model detection requires direct firmware inspection. The identity and scale of threat actors remain unknown.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]