Full Report
A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the "dnscfg.cgi" endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters. "An unauthenticated remote attacker can inject
Analysis Summary
# Vulnerability: Command Injection in D-Link DSL Gateway Routers leading to RCE
## CVE Details
- CVE ID: CVE-2026-0625
- CVSS Score: 9.3 (Critical)
- CWE: (Not explicitly listed, but implies CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: Legacy D-Link DSL gateway routers (DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models)
- Versions:
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
- DSL-526B <= 2.01
- Configurations: Any configuration accessible via the affected endpoint on vulnerable firmware versions. Note: Some affected devices are End-of-Life (EoL) as of early 2020.
## Vulnerability Description
The vulnerability is a critical **Command Injection** flaw residing in the `"dnscfg.cgi"` endpoint of the affected D-Link DSL gateway routers. This flaw results from improper sanitization of user-supplied parameters intended for DNS configuration. An unauthenticated remote attacker can inject and execute arbitrary shell commands on the underlying operating system, leading to **Remote Code Execution (RCE)**. The injection mechanism can also be leveraged for unauthenticated DNS modification, potentially leading to DNS hijacking.
## Exploitation
- Status: **Exploited in the wild** (Exploitation attempts recorded by Shadowserver Foundation on November 27, 2025, and noted by VulnCheck on December 16, 2025).
- Complexity: Low (The vulnerability allows for **unauthenticated** remote exploitation via the network).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Arbitrary command execution enables data access/exfiltration).
- Integrity: High (Full control over the device, including the ability to alter DNS settings, redirecting all downstream traffic).
- Availability: High (The device can be taken offline or configured to disrupt service via DNS redirection).
## Remediation
### Patches
- No specific patch versions were definitively listed, as D-Link noted complexities in identifying all affected models due to firmware variations. Users are advised to check vendor advisories for updates. **Crucially, many impacted models are End-of-Life and unpatchable.**
### Workarounds
- **Retire and Upgrade:** The primary mitigation advised by D-Link and security researchers for these End-of-Life (EoL) models is to immediately decommission these legacy devices and upgrade to actively supported routers that receive regular security updates.
- **Firmware Inspection:** Users/organizations must perform direct firmware inspection to confirm if they are running vulnerable builds, as model numbers alone are not reliable indicators.
## Detection
- Indicators of Compromise: Traffic anomalies indicative of DNS modification or attempts to access the `dnscfg.cgi` endpoint with unusual parameters.
- Detection methods and tools: Network monitoring/Intrusion Detection Systems monitoring HTTP traffic targeting `/dnscfg.cgi`. Direct firmware level analysis is required for accurate detection of vulnerable installations.
## References
- Vendor Advisory (D-Link): hxxps://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
- Third-Party Advisory (VulnCheck): hxxps://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
- Related DNS Hijacking Documentation (D-Link): hxxps://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068