Attackers are actively exploiting a critical command injection vulnerability in legacy D-Link routers that allows unauthenticated remote code execution. CVE-2026-0625 carries a CVSS score of 9.3, and because the affected devices reached end-of-life before 2020, no patch will be released.
Vulnerability overview
| Attribute | Value |
|---|---|
| CVE | CVE-2026-0625 |
| CVSS Score | 9.3 (Critical) |
| Type | Command injection |
| Authentication | None required |
| User interaction | None required |
| Patch status | None available (EOL) |
Technical details
The flaw exists in the dnscfg.cgi endpoint, which handles DNS configuration on affected routers.
Root cause
The dns_server parameter is not sanitized before being passed to a shell command, allowing attackers to inject arbitrary commands using standard shell metacharacters:
;(command separator)|(pipe)$()(command substitution)
Exploitation
“An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution.” — VulnCheck advisory
Attack requirements:
- Network access to management interface
- No authentication needed
- No user interaction required
Affected devices
DSL series (ADSL routers)
| Model | Status |
|---|---|
| DSL-500 | EOL, vulnerable |
| DSL-500G | EOL, vulnerable |
| DSL-502G | EOL, vulnerable |
| DSL-526B | EOL, vulnerable |
| DSL-2640B | EOL, vulnerable |
| DSL-2640T | EOL, vulnerable |
| DSL-2740R | EOL, vulnerable |
| DSL-2780B | EOL, vulnerable |
DIR series (consumer routers)
| Model | Status |
|---|---|
| DIR-600 | EOL, vulnerable |
| DIR-608 | EOL, vulnerable |
| DIR-610 | EOL, vulnerable |
| DIR-611 | EOL, vulnerable |
| DIR-615 | EOL, vulnerable |
| DIR-905L | EOL, vulnerable |
DNS series (network storage)
| Model | Status |
|---|---|
| DNS-320 | EOL, vulnerable |
| DNS-325 | EOL, vulnerable |
| DNS-345 | EOL, vulnerable |
Note: D-Link states that confirming vulnerability requires direct firmware inspection—model number alone is not sufficient.
Exploitation timeline
| Date | Event |
|---|---|
| November 27, 2025 | Shadowserver Foundation records first exploitation |
| December 16, 2025 | VulnCheck notifies D-Link of active exploitation |
| December 2025 | D-Link publishes advisory SAP10488 |
| January 5, 2026 | VulnCheck publishes detailed advisory |
| Ongoing | Active exploitation continues |
Exploitation was observed months before public disclosure, indicating attackers discovered the vulnerability independently.
VulnCheck disclosure process
| Date | Action |
|---|---|
| November 27, 2025 | Shadowserver observes first exploitation |
| December 16, 2025 | VulnCheck notifies D-Link |
| December 2025 | D-Link issues SAP10488 advisory |
| January 5, 2026 | VulnCheck publishes detailed advisory |
VulnCheck reported observing “active exploitation of a compromised CGI library in certain D-Link devices” in production environments before contacting D-Link.
Targeted firmware variants
Exploitation campaigns have specifically targeted:
- DSL-2740R
- DSL-2640B
- DSL-2780B
- DSL-526B
Attack capabilities
Successful exploitation gives attackers full control over the device:
| Capability | Impact |
|---|---|
| DNS manipulation | Redirect all traffic through attacker infrastructure |
| Phishing enablement | Redirect banking, email sites to fake pages |
| Credential theft | Intercept login credentials |
| Ad injection | Insert malicious advertisements |
| Botnet recruitment | Join device to DDoS or proxy botnet |
| Network pivot | Use router as entry point to internal network |
| Traffic interception | Monitor unencrypted communications |
Downstream impact
Once DNS settings are altered, every device behind the router—phones, laptops, IoT devices—can be silently redirected without any indication to users.
Historical context
CVE-2026-0625 exposes the same DNS configuration mechanism abused in previous large-scale campaigns:
GhostDNS campaign (2018-2019)
| Metric | Impact |
|---|---|
| Devices compromised | 100,000+ |
| Primary targets | Brazilian banking customers |
| Technique | DNS hijacking to fake bank sites |
DNSChanger campaigns (2016-2019)
| Metric | Impact |
|---|---|
| Devices compromised | Hundreds of thousands |
| Primary targets | Consumer routers globally |
| Technique | Malicious ad injection, credential theft |
D-Link documented these attacks affecting the same endpoint between 2016 and 2019.
PyPhp variant details
The GhostDNS ecosystem included a sophisticated attack infrastructure:
| Component | Details |
|---|---|
| PyPhp module | Primary attack module |
| C2 servers | 100+ command-and-control servers |
| Hosting | Largely cloud-hosted infrastructure |
| Attack scripts | 100+ scripts targeting routers |
| Target scope | Public internet and internal networks |
The attack scripts were designed to target routers both on the public internet and behind NAT on internal networks.
Remediation
Primary recommendation: Replace the hardware
“D-Link Systems, Inc. recommends retiring affected legacy devices and replacing them with supported products that receive regular firmware updates.”
All affected devices reached end-of-life before 2020 and will never receive patches.
If immediate replacement isn’t possible
| Mitigation | Implementation |
|---|---|
| Disable remote management | Eliminate internet-facing attack surface |
| Block external web access | Firewall ports 80/443 to router |
| Network segmentation | Isolate router from sensitive systems |
| Monitor DNS traffic | Alert on unexpected configuration changes |
Detection indicators
| Indicator | Detection method |
|---|---|
| Unexpected DNS server changes | Router configuration review |
| Traffic to malicious infrastructure | Network monitoring |
| Unusual outbound connections | Traffic analysis |
| DNS queries resolving incorrectly | DNS response validation |
The broader problem
This vulnerability highlights the endemic issue of end-of-life consumer networking equipment:
| Challenge | Scale |
|---|---|
| Installed base | Millions of vulnerable devices worldwide |
| User awareness | Most users don’t know devices are EOL |
| Update capability | No patches available |
| Replacement incentive | Devices still “work” for basic connectivity |
| Visibility | ISPs and users often unaware of router model |
Why it matters
| Factor | Risk |
|---|---|
| Always-on devices | Continuous attack surface |
| Network position | Gateway to all connected devices |
| Trust position | DNS responses trusted by all clients |
| Persistence | Survives endpoint security measures |
Recommendations
For home users
| Priority | Action |
|---|---|
| Immediate | Check if your router is on the affected list |
| If affected | Replace with a currently supported device |
| If replacement delayed | Disable remote management immediately |
| Ongoing | Enable automatic updates on new device |
For small businesses
| Priority | Action |
|---|---|
| Immediate | Inventory all network equipment |
| High | Replace any EOL devices |
| High | Implement network monitoring |
| Ongoing | Establish equipment lifecycle management |
For ISPs
| Priority | Action |
|---|---|
| High | Identify affected customer equipment |
| High | Notify customers of vulnerability |
| Consider | Equipment replacement programs |
| Ongoing | Block exploitation traffic at network edge |
Context
CVE-2026-0625 represents the long tail of IoT security debt. These routers were sold for years, deployed in millions of homes and small businesses, and then abandoned when D-Link ended support. The devices continue operating—and remain vulnerable—until they physically fail or are manually replaced.
The affected endpoint has been known to be dangerous since at least 2016. The vulnerability will continue to be exploited until the last affected device is retired.
The only real solution is hardware replacement. Mitigations can reduce risk, but cannot eliminate it. Organizations and individuals still running these devices face “elevated operational risk” that increases daily as exploitation techniques spread.
Firmware verification note
D-Link states that confirming vulnerability requires direct firmware inspection—model number alone is not sufficient to determine vulnerability status. The same model may have multiple firmware versions with varying vulnerability status.
| Verification method | Details |
|---|---|
| Model number | Insufficient alone |
| Firmware version | Must be inspected |
| Hardware revision | May affect vulnerability |
| Configuration | Remote management status |
Organizations with D-Link equipment should verify firmware versions against D-Link’s SAP10488 advisory for specific vulnerable firmware builds.