D-Link Legacy Routers Under Siege: CVE-2026-0625 RCE Flaw Exploited in Active Campaigns
Executive Summary
In late 2025 and early 2026, a critical security vulnerability (CVE-2026-0625, CVSS 9.3) in legacy D-Link DSL routers was actively exploited, enabling unauthenticated remote code execution. The flaw arises from insufficient input sanitization on the dnscfg.cgi endpoint, allowing attackers to inject arbitrary shell commands and modify DNS settings remotely. As reported by VulnCheck and observed by the Shadowserver Foundation, exploitation affected end-of-life models including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, leading to large-scale DNS hijacking, persistent traffic redirection, and compromised user privacy and security for any device behind these routers.
This incident highlights the ongoing risk posed by end-of-life and unsupported network hardware, which remains prevalent in many organizations. The swift weaponization of unauthenticated RCE vulnerabilities in edge devices—especially those lacking patch support—underscores the need for proactive infrastructure lifecycle management, supply chain visibility, and robust segmentation to defend against fast-evolving infrastructure-targeted threats.
Why This Matters Now
Many organizations continue to use unsupported legacy network hardware, exposing themselves to critical vulnerabilities that cannot be patched. The exploitation of CVE-2026-0625 shows how internet-facing infrastructure can be hijacked rapidly, enabling attackers to compromise internal networks and exfiltrate data, making urgent remediation and device replacement a top security priority.
Attack Path Analysis
Attackers remotely exploited a command injection flaw in the D-Link DSL router’s dnscfg.cgi endpoint, allowing unauthenticated code execution. After establishing a foothold, they gained control over router processes, escalating privileges to manipulate network traffic handling. From there, adversaries could pivot laterally to devices behind the compromised gateway. Command and control was maintained via modified DNS configurations, establishing connections to attacker infrastructure. Exfiltration of sensitive traffic was enabled by persistent DNS hijacking and redirection. The impact included widespread compromise of all client traffic, enabling surveillance, redirection, or traffic blocking on affected networks.
Kill Chain Progression
Initial Compromise
Description
Adversaries remotely exploited the unauthenticated command injection vulnerability (CVE-2026-0625) in the dnscfg.cgi endpoint to gain initial code execution on legacy D-Link DSL gateway routers.
Related CVEs
CVE-2026-0625
CVSS 9.3An authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint of multiple D-Link DSL/DIR/DNS devices allows unauthenticated attackers to modify DNS settings, enabling DNS hijacking attacks.
Affected Products:
D-Link DSL-500 – All
D-Link DSL-500G – All
D-Link DSL-502G – All
D-Link DSL-526B – <= 2.01
D-Link DSL-2640B – <= 1.07
D-Link DSL-2640T – All
D-Link DSL-2740R – < 1.17
D-Link DSL-2780B – <= 1.01.14
D-Link DIR-600 – All
D-Link DIR-608 – All
D-Link DIR-610 – All
D-Link DIR-611 – All
D-Link DIR-615 – All
D-Link DIR-905L – All
D-Link DNS-320 – All
D-Link DNS-325 – All
D-Link DNS-345 – All
Exploit Status:
exploited in the wildReferences:
https://nvd.nist.gov/vuln/detail/CVE-2026-0625https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpointhttps://fieldeffect.com/blog/legacy-d-link-routers-exploited-via-unauthenticated-dns-hijacking
MITRE ATT&CK® Techniques
This MITRE ATT&CK mapping covers core network device exploitation, command injection via unauthenticated endpoints, network manipulation, and DNS hijacking. It is suitable for SEO/filtering and may be expanded with fuller threat intelligence enrichment in future.
Exploit Public-Facing Application
Command and Scripting Interpreter: Unix Shell
Exploitation of Remote Services
Network Service Discovery
Data Manipulation: Stored Data Manipulation
Weaken Encryption
Resource Hijacking
Endpoint Denial of Service: Network DoS
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of Network Devices
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
CISA ZTMM 2.0 – Asset and Device Inventory & Management
Control ID: Pillar 2: Device Security
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Legacy D-Link DSL routers critical for network infrastructure face unauthenticated remote code execution, enabling DNS hijacking and traffic interception across telecommunications networks.
Financial Services
DNS hijacking via CVE-2026-0625 threatens secure communications and compliance requirements, potentially redirecting financial transactions through compromised end-of-life gateway infrastructure.
Health Care / Life Sciences
Unpatchable DSL gateway vulnerabilities compromise HIPAA compliance through DNS manipulation, enabling persistent network compromise affecting all downstream medical devices and systems.
Government Administration
Legacy router exploitation enables state-level DNS hijacking campaigns, compromising government network integrity and creating persistent backdoors for sensitive data exfiltration.
Sources
- Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routershttps://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.htmlVerified
- D-Link Legacy (EOL/EOS) DSL Gateways/Routers: CVE-2026-0625: Command Injection via DNS feature exploithttps://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488Verified
- D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpointhttps://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpointVerified
- Legacy D-Link routers exploited via unauthenticated DNS hijackinghttps://fieldeffect.com/blog/legacy-d-link-routers-exploited-via-unauthenticated-dns-hijackingVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust Segmentation, egress policy enforcement, and network anomaly detection would have curtailed the attack’s spread from the gateway, limited attacker persistence, and detected malicious traffic manipulation before widespread impact. CNSF controls ensure even compromised infrastructure cannot easily be used to pivot, exfiltrate, or sustain C2 in cloud-connected or hybrid environments.
Control: Cloud Firewall (ACF)
Mitigation: Exposure of legacy, vulnerable management endpoints would be minimized.
Control: Zero Trust Segmentation
Mitigation: Compromised gateway would have limited access to downstream or lateral assets.
Control: East-West Traffic Security
Mitigation: Internal routing and access to other workloads would be closely monitored and controlled.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to malicious infrastructure would be detected and potentially blocked.
Control: Encrypted Traffic (HPE)
Mitigation: Sensitive data in transit would be encrypted, reducing the value of intercepted communications.
Rapid detection of unusual DNS changes and traffic patterns enables timely incident response.
Impact at a Glance
Affected Business Functions
- Network Operations
- Internet Connectivity
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive data due to DNS hijacking, leading to interception or redirection of user traffic.
Recommended Actions
Key Takeaways & Next Steps
- • Immediately retire or segment end-of-life, unpatchable legacy routers from all environments.
- • Enforce Zero Trust Segmentation and microsegmentation to isolate gateways and prevent lateral movement from perimeter devices.
- • Deploy Cloud Firewall and strict egress controls to block malicious inbound and outbound management or DNS traffic.
- • Implement continuous threat detection and anomaly response to quickly surface unusual traffic patterns or configuration changes.
- • Ensure all traffic (including internal east-west flows) is encrypted to reduce the risk from compromised network infrastructure.
