CVE-2026-0625
D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint
Description
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).
INFO
Published Date :
Jan. 5, 2026, 10:15 p.m.
Last Modified :
Jan. 8, 2026, 4:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2026-0625
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 4.0 | CRITICAL | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 4.0 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update device firmware to the latest available version.
- Disable remote administration features if not needed.
- Restrict access to administrative interfaces.
- Replace end-of-life devices.
Public PoC/Exploit Available at Github
CVE-2026-0625 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-0625.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-0625 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-0625
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Community reconstruction of the legacy JSON NVD Data Feeds. This project uses and redistributes data from the NVD API but is neither endorsed nor certified by the NVD.
Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-0625 vulnerability anywhere in the article.
-
Daily CyberSecurity
CISA KEV Alert: HPE’s Maximum CVSS Score Flaw and a Zombie PowerPoint Bug
The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog with two new entries that span nearly two decades of computing history. The la ... Read more
-
Daily CyberSecurity
Public Exploit Released: Critical n8n Flaw CVE-2026-21858 Exposes 100k Servers
The “central nervous system” of automation for thousands of companies has a critical weakness. A new report from Cyera reveals a devastating vulnerability in n8n, the popular workflow automation platf ... Read more
-
Daily CyberSecurity
“VM Isolation is Not Absolute”: Researchers Unmask Sophisticated ESXi “Maestro” Exploit
In a new report, the Huntress Tactical Response Team details a sophisticated intrusion discovered in December 2025 where threat actors successfully executed a “VM escape”—breaking out of a guest virtu ... Read more
-
Daily CyberSecurity
One Request to Rule Them All: Critical Trendnet Flaw (CVE-2025-15471) Allows Total Takeover
A critical pre-authentication command injection vulnerability has been uncovered in the Trendnet TEW-713RE Wi-Fi extender, allowing remote attackers to seize full control of the device with a single H ... Read more
-
Daily CyberSecurity
CVE-2025-60262: Critical Misconfiguration in H3C Wireless Gear Hands Control to Hackers
A glaring configuration oversight in select H3C wireless controllers and access points has opened the door for remote attackers to seize root-level control of the devices. The vulnerability, tracked a ... Read more
-
Daily CyberSecurity
Self-Hosters Beware: 3 Critical Coolify Flaws Grant Root Access
The self-hosting community is on high alert following the disclosure of three critical vulnerabilities in Coolify, the open-source platform designed to simplify application deployment. Security resear ... Read more
-
The Hacker News
Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers
Jan 07, 2026Ravie LakshmananNetwork Security / Vulnerability A newly discovered critical security flaw in legacy D-Link DSL gateway routers has come under active exploitation in the wild. The vulner ... Read more
-
Daily CyberSecurity
The 1000Hz Illusion: NVIDIA Unveils G-SYNC Pulsar and DLSS 4.5 at CES 2026
As CES 2026 approaches, NVIDIA unveiled a slate of consumer-facing updates for gamers and creators during its pre-show event. Highlights include G-SYNC Pulsar technology, capable of delivering 1000Hz- ... Read more
-
Daily CyberSecurity
CVE-2025-14026: Forcepoint DLP Flaw Lets Attackers Unchain Restricted Python
A high-severity vulnerability in the Forcepoint One DLP Client has been disclosed, revealing a method for attackers to break out of a vendor-imposed “sandbox” and execute arbitrary code on protected e ... Read more
-
Daily CyberSecurity
Google Patches High-Severity “WebView” Flaw in Chrome 143
Google has announced an important security update for the Stable channel of its Chrome browser, rolling out patches to Windows, Mac, and Linux users to address a high-severity vulnerability that could ... Read more
-
BleepingComputer
New D-Link flaw in legacy DSL routers actively exploited in attacks
Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago. The vulnerability is now tracked ... Read more
The following table lists the changes that have been made to the
CVE-2026-0625 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Jan. 08, 2026
Action Type Old Value New Value Changed Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020. Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Removed CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-306 Removed CWE CWE-78 Added Reference https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118 -
CVE Modified by [email protected]
Jan. 07, 2026
Action Type Old Value New Value Added Reference https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488 -
New CVE Received by [email protected]
Jan. 05, 2026
Action Type Old Value New Value Added Tag unsupported-when-assigned Added Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-78 Added Reference https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068 Added Reference https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint