Could this vulnerability have been mitigated?

Yes, organizations could have mitigated risk by retiring unsupported devices, enforcing network segmentation and policy, and monitoring for anomalies in DNS and edge device behavior.

What are the main risks of continued use of legacy or unpatched routers?

Legacy unpatched routers allow attackers unauthenticated access, enabling RCE, persistent DNS hijacking, traffic interception, and exposing all connected devices to downstream compromise.

D-Link Legacy Routers Under Siege: CVE-2026-0625 RCE Flaw Exploited in Active Campaigns

Q: What compliance or security gaps were exposed by the D-Link legacy router exploit?

The incident revealed risks from unsupported and end-of-life devices, lacking basic controls like input sanitization, firmware updates, and proper access restrictions essential under frameworks such as NIST and PCI DSS.

Critical unauthenticated RCE flaw in outdated D-Link DSL routers is being weaponized in the wild, putting organizations and end-users at heightened risk of DNS hijacking and persistent compromise.

Published: January 11, 2026

Share this on:

Executive Summary

In late 2025 and early 2026, a critical security vulnerability (CVE-2026-0625, CVSS 9.3) in legacy D-Link DSL routers was actively exploited, enabling unauthenticated remote code execution. The flaw arises from insufficient input sanitization on the dnscfg.cgi endpoint, allowing attackers to inject arbitrary shell commands and modify DNS settings remotely. As reported by VulnCheck and observed by the Shadowserver Foundation, exploitation affected end-of-life models including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, leading to large-scale DNS hijacking, persistent traffic redirection, and compromised user privacy and security for any device behind these routers.

This incident highlights the ongoing risk posed by end-of-life and unsupported network hardware, which remains prevalent in many organizations. The swift weaponization of unauthenticated RCE vulnerabilities in edge devices—especially those lacking patch support—underscores the need for proactive infrastructure lifecycle management, supply chain visibility, and robust segmentation to defend against fast-evolving infrastructure-targeted threats.

Why This Matters Now

Many organizations continue to use unsupported legacy network hardware, exposing themselves to critical vulnerabilities that cannot be patched. The exploitation of CVE-2026-0625 shows how internet-facing infrastructure can be hijacked rapidly, enabling attackers to compromise internal networks and exfiltrate data, making urgent remediation and device replacement a top security priority.

Attack Path Analysis

Attackers remotely exploited a command injection flaw in the D-Link DSL router’s dnscfg.cgi endpoint, allowing unauthenticated code execution. After establishing a foothold, they gained control over router processes, escalating privileges to manipulate network traffic handling. From there, adversaries could pivot laterally to devices behind the compromised gateway. Command and control was maintained via modified DNS configurations, establishing connections to attacker infrastructure. Exfiltration of sensitive traffic was enabled by persistent DNS hijacking and redirection. The impact included widespread compromise of all client traffic, enabling surveillance, redirection, or traffic blocking on affected networks.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

High

Exfiltration

Mediuminferred

Impact

High

Initial Compromise

Description

Adversaries remotely exploited the unauthenticated command injection vulnerability (CVE-2026-0625) in the dnscfg.cgi endpoint to gain initial code execution on legacy D-Link DSL gateway routers.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-0625
CVSS 9.3
An authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint of multiple D-Link DSL/DIR/DNS devices allows unauthenticated attackers to modify DNS settings, enabling DNS hijacking attacks.
Affected Products:
D-Link DSL-500 – All
D-Link DSL-500G – All
D-Link DSL-502G – All
D-Link DSL-526B – <= 2.01
D-Link DSL-2640B – <= 1.07
D-Link DSL-2640T – All
D-Link DSL-2740R – < 1.17
D-Link DSL-2780B – <= 1.01.14
D-Link DIR-600 – All
D-Link DIR-608 – All
D-Link DIR-610 – All
D-Link DIR-611 – All
D-Link DIR-615 – All
D-Link DIR-905L – All
D-Link DNS-320 – All
D-Link DNS-325 – All
D-Link DNS-345 – All
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2026-0625 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488 https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint https://fieldeffect.com/blog/legacy-d-link-routers-exploited-via-unauthenticated-dns-hijacking

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059.004

Command and Scripting Interpreter: Unix Shell

Initial Access

T1210

Exploitation of Remote Services

Discovery

T1046

Network Service Discovery

Impact

T1565.001

Data Manipulation: Stored Data Manipulation

Defense Evasion

T1600

Weaken Encryption

Impact

T1496

Resource Hijacking

Impact

T1499.001

Endpoint Denial of Service: Network DoS

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Security of Network Devices

Control ID: 6.2.4

The use of unsupported, unpatched legacy network devices violates PCI DSS requirements for keeping all components within the cardholder data environment secure, exposing sensitive network paths to compromise.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

Failure to retire or patch end-of-life routers reflects insufficient cybersecurity policy and risk management, potentially leading to regulatory breaches in securing information systems.

DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework

Control ID: Article 8

Persistent use of outdated and vulnerable network infrastructure demonstrates ineffective ICT risk management and increases operational risk, contravening DORA's requirements for continual assessment and mitigation.

CISA ZTMM 2.0 – Asset and Device Inventory & Management

Control ID: Pillar 2: Device Security

Failure to inventory and retire unsupported network devices undermines visibility and increases surface area for attack, violating Zero Trust principles for asset management.

NIS2 Directive – Technical and Organizational Measures

Control ID: Article 21

Using end-of-life routers with known vulnerabilities contravenes NIS2 requirements for technical and organizational security measures to address cyber risks across essential digital infrastructure.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Legacy D-Link DSL routers critical for network infrastructure face unauthenticated remote code execution, enabling DNS hijacking and traffic interception across telecommunications networks.

Financial Services

DNS hijacking via CVE-2026-0625 threatens secure communications and compliance requirements, potentially redirecting financial transactions through compromised end-of-life gateway infrastructure.

Health Care / Life Sciences

Unpatchable DSL gateway vulnerabilities compromise HIPAA compliance through DNS manipulation, enabling persistent network compromise affecting all downstream medical devices and systems.

Government Administration

Legacy router exploitation enables state-level DNS hijacking campaigns, compromising government network integrity and creating persistent backdoors for sensitive data exfiltration.

Sources

Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routershttps://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html
Verified

D-Link Legacy (EOL/EOS) DSL Gateways/Routers: CVE-2026-0625: Command Injection via DNS feature exploithttps://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488

Verified

D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpointhttps://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint

Verified

Legacy D-Link routers exploited via unauthenticated DNS hijackinghttps://fieldeffect.com/blog/legacy-d-link-routers-exploited-via-unauthenticated-dns-hijacking

Verified

Frequently Asked Questions

The incident revealed risks from unsupported and end-of-life devices, lacking basic controls like input sanitization, firmware updates, and proper access restrictions essential under frameworks such as NIST and PCI DSS.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Applying Zero Trust Segmentation, egress policy enforcement, and network anomaly detection would have curtailed the attack’s spread from the gateway, limited attacker persistence, and detected malicious traffic manipulation before widespread impact. CNSF controls ensure even compromised infrastructure cannot easily be used to pivot, exfiltrate, or sustain C2 in cloud-connected or hybrid environments.

Initial Compromise

Control: Cloud Firewall (ACF)

Mitigation: Exposure of legacy, vulnerable management endpoints would be minimized.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Compromised gateway would have limited access to downstream or lateral assets.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Internal routing and access to other workloads would be closely monitored and controlled.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Outbound connections to malicious infrastructure would be detected and potentially blocked.

Exfiltration

Control: Encrypted Traffic (HPE)

Mitigation: Sensitive data in transit would be encrypted, reducing the value of intercepted communications.

Impact (Mitigations)

Rapid detection of unusual DNS changes and traffic patterns enables timely incident response.

Impact at a Glance

Affected Business Functions

Network Operations
Internet Connectivity

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive data due to DNS hijacking, leading to interception or redirection of user traffic.

Recommended Actions

• Immediately retire or segment end-of-life, unpatchable legacy routers from all environments.
• Enforce Zero Trust Segmentation and microsegmentation to isolate gateways and prevent lateral movement from perimeter devices.
• Deploy Cloud Firewall and strict egress controls to block malicious inbound and outbound management or DNS traffic.
• Implement continuous threat detection and anomaly response to quickly surface unusual traffic patterns or configuration changes.
• Ensure all traffic (including internal east-west flows) is encrypted to reduce the risk from compromised network infrastructure.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

D-Link Legacy Routers Under Siege: CVE-2026-0625 RCE Flaw Exploited in Active Campaigns

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-0625

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Command and Scripting Interpreter: Unix Shell

Exploitation of Remote Services

Network Service Discovery

Data Manipulation: Stored Data Manipulation

Weaken Encryption

Resource Hijacking

Endpoint Denial of Service: Network DoS

Potential Compliance Exposure

PCI DSS 4.0 – Security of Network Devices

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework

CISA ZTMM 2.0 – Asset and Device Inventory & Management

NIS2 Directive – Technical and Organizational Measures

Sector Implications

Telecommunications

Financial Services

Health Care / Life Sciences

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads