New D-link Flaw In Legacy Dsl Routers Actively Exploited In Attacks

Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago.

The vulnerability is now tracked as CVE-2026-0625 and affects the dnscfg.cgi endpoint due to improper input sanitization in a CGI library. An unauthenticated attacker could leverage this to execute remote commands via DNS configuration parameters.

Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots.

VulnCheck told BleepingComputer that the technique captured by Shadowserver does not appear to have been publicly documented.

"An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution," VulnCheck says in the security advisory.

In collaboration with VulnCheck, D-Link confirmed the following device models and firmware versions to be affected by CVE-2026-0625:

The above have reached end-of-life (EoL) since 2020 and will not receive firmware updates to address CVE-2026-0625. Hence, the vendor strongly recommends retiring and replacing the affected devices with supported models.

D-Link is still trying to determine if any other products are impacted by analyzing various firmware releases.

"Both D-Link and VulnCheck face complexity in precisely identifying all impacted models due to variations in firmware implementations and product generations," D-Link explains.

"Current analysis shows no reliable model number detection method beyond direct firmware inspection. For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation," says the vendor.

Source: BleepingComputer