CVE-2026-0625
D-Link DSL Command Injection via DNS Configuration Endpoint
Description
Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
INFO
Published Date :
Jan. 5, 2026, 10:15 p.m.
Last Modified :
Jan. 5, 2026, 10:15 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2026-0625
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update device firmware to the latest available version.
- Disable remote administration features if not needed.
- Restrict access to administrative interfaces.
- Replace end-of-life devices.
Public PoC/Exploit Available at Github
CVE-2026-0625 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-0625.
| URL | Resource |
|---|---|
| https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068 | |
| https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-0625 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-0625
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Community reconstruction of the legacy JSON NVD Data Feeds. This project uses and redistributes data from the NVD API but is neither endorsed nor certified by the NVD.
Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-0625 vulnerability anywhere in the article.
-
Daily CyberSecurity
Self-Hosters Beware: 3 Critical Coolify Flaws Grant Root Access
The self-hosting community is on high alert following the disclosure of three critical vulnerabilities in Coolify, the open-source platform designed to simplify application deployment. Security resear ... Read more
-
The Hacker News
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
Jan 07, 2026Ravie LakshmananNetwork Security / Vulnerability A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulner ... Read more
-
Daily CyberSecurity
The 1000Hz Illusion: NVIDIA Unveils G-SYNC Pulsar and DLSS 4.5 at CES 2026
As CES 2026 approaches, NVIDIA unveiled a slate of consumer-facing updates for gamers and creators during its pre-show event. Highlights include G-SYNC Pulsar technology, capable of delivering 1000Hz- ... Read more
-
Daily CyberSecurity
CVE-2025-14026: Forcepoint DLP Flaw Lets Attackers Unchain Restricted Python
A high-severity vulnerability in the Forcepoint One DLP Client has been disclosed, revealing a method for attackers to break out of a vendor-imposed “sandbox” and execute arbitrary code on protected e ... Read more
-
Daily CyberSecurity
Google Patches High-Severity “WebView” Flaw in Chrome 143
Google has announced an important security update for the Stable channel of its Chrome browser, rolling out patches to Windows, Mac, and Linux users to address a high-severity vulnerability that could ... Read more
-
BleepingComputer
New D-Link flaw in legacy DSL routers actively exploited in attacks
Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago. The vulnerability is now tracked ... Read more
The following table lists the changes that have been made to the
CVE-2026-0625 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Jan. 05, 2026
Action Type Old Value New Value Added Tag unsupported-when-assigned Added Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-78 Added Reference https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068 Added Reference https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint