Security researchers are warning of ongoing attacks exploiting a critical remote code execution vulnerability in legacy D-Link DSL routers.
Vulnerability Details
The vulnerability, tracked as CVE-2026-0625 with a CVSS score of 9.3, is a command injection flaw in the “dnscfg.cgi” endpoint. The vulnerability arises from improper sanitization of user-supplied DNS configuration parameters.
Attack Vector
The flaw enables unauthenticated remote code execution via the dnscfg.cgi endpoint, giving attackers direct control over DNS settings without credentials or user interaction.
Successful exploitation allows attackers to:
- Execute arbitrary commands on the device
- Modify DNS settings to redirect traffic
- Use the router as a pivot point for further attacks
- Join the device to a botnet
Affected Devices
The vulnerability affects legacy D-Link DSL router models that have reached end-of-life (EOL) status. D-Link has stated that no patches will be released for EOL devices.
Recommended Actions
Immediate steps:
- Replace EOL devices with currently supported models
- Disable remote management if replacement is not immediately possible
- Segment network to isolate vulnerable devices
- Monitor DNS traffic for signs of manipulation
Network indicators to watch:
- Unexpected DNS server changes
- Traffic to known malicious infrastructure
- Unusual outbound connections from router IP
Broader Implications
This vulnerability highlights the ongoing risk posed by legacy IoT and network devices. Organizations should maintain accurate inventories of network equipment and establish lifecycle management policies to ensure timely replacement of EOL devices.