Critical D-Link Router Flaw Under Active Attack, No Patch Coming

Attackers are actively exploiting a critical remote code execution vulnerability in legacy D-Link DSL routers. CVE-2026-0625 carries a CVSS 4.0 score of 9.3 and allows unauthenticated attackers to execute arbitrary commands through the device's web interface. D-Link won't patch it because the affected models reached end-of-life six years ago.

VulnCheck published the advisory on January 5, but the Shadowserver Foundation first observed exploitation attempts back in November 2025—months before public disclosure.

What Is CVE-2026-0625?

The vulnerability exists in the dnscfg.cgi endpoint, which handles DNS configuration on affected routers. User-supplied DNS parameters aren't properly sanitized before being passed to shell commands.

An attacker can inject arbitrary shell commands into the DNS configuration request. No authentication required. No user interaction needed. Just send a malicious HTTP request to the router's web interface and gain command execution.

From VulnCheck's advisory: "An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution."

Once attackers have code execution on the router, they can:

• Modify DNS settings to redirect all traffic through malicious servers
• Install persistent backdoors
• Use the compromised device as a pivot point into the internal network
• Add the router to a botnet for DDoS attacks
• Intercept or modify unencrypted traffic passing through the device

Affected Models

The following D-Link DSL routers are vulnerable:

Model	Vulnerable Firmware Versions
DSL-2640B	≤ 1.07
DSL-2740R	< 1.17
DSL-2780B	≤ 1.01.14
DSL-526B	≤ 2.01

All of these models reached end-of-life status in early 2020. D-Link has explicitly stated they will not release firmware updates to address CVE-2026-0625.

Exploitation Timeline

This vulnerability didn't suddenly appear—attackers found it before researchers did:

• November 27, 2025: Shadowserver Foundation first documented active exploitation attempts
• December 16, 2025: VulnCheck reported ongoing malicious activity in honeypot data
• January 5, 2026: VulnCheck published public advisory with technical details
• January 7, 2026: Widespread reporting and continued exploitation

The two-month gap between first exploitation and public disclosure means attackers had plenty of time to compromise vulnerable devices before defenders knew to look.

DNS Hijacking at Scale

This vulnerability leverages the same DNS configuration mechanism that D-Link previously warned about in DNSChanger campaigns targeting these router models between 2016 and 2019. History is repeating itself.

When attackers control a router's DNS settings, every device on that network becomes vulnerable to redirection attacks. Your computer asks for "bank.com" and the compromised router sends it to a phishing page. The attack is invisible to end users because the URL in their browser looks correct.

Field Effect's analysis noted: "Once altered, DNS entries can silently redirect traffic, resulting in a persistent compromise affecting every device behind the router."

This makes CVE-2026-0625 particularly dangerous for small businesses and home users who may have these older routers still in service. A single compromised router exposes every connected device.

What Should You Do?

If you're running any of the affected D-Link models, you have one option: replace the device.

D-Link's official recommendation is to "retire and replace the affected devices with supported models." There is no workaround, no mitigation that makes these devices safe. The vulnerability is in the core web interface, and the firmware won't be updated.

Immediate steps:

1. Identify affected devices - Check router model numbers against the vulnerable list
2. Disconnect from internet - Remove affected routers from service immediately
3. Replace with supported hardware - Any modern router from a vendor providing security updates
4. Audit network DNS settings - Check if DNS was already modified on potentially compromised devices
5. Review connected device behavior - Look for signs of traffic redirection or credential theft

Organizations with asset inventories should search for these model numbers. Home users may need to physically check their equipment if they don't know what router their ISP provided years ago.

The EOL Problem

CVE-2026-0625 illustrates a persistent challenge in network security: consumer and small business networking equipment often runs for a decade or more, long past the point where vendors stop providing updates.

These D-Link routers were common ISP-provided devices in the mid-2010s. Many are still running because they still work—from a networking perspective. Users have no indication their router became a security liability years ago.

The affected devices will remain online for years despite this disclosure. Some owners won't hear about the vulnerability. Others won't care until something bad happens. And attackers know exactly which models to target.

If you're responsible for network security at any scale, this is a reminder to audit end-of-life equipment. The router working fine in the corner might be the biggest hole in your perimeter.