Active Exploitation Targets Legacy D-Link Routers

A critical security vulnerability, identified as CVE-2026-0625 with a severity score of 9.3, has been discovered in older D-Link routers, allowing hackers to execute arbitrary code remotely via the "dnscfg.cgi" component. This flaw arises from inadequate validation of DNS settings, enabling attackers to alter DNS configurations without authentication. Affected models include DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, which were targeted between 2016 and 2019. The Shadowserver Foundation detected exploitation attempts on November 27, 2025. D-Link, informed by VulnCheck on December 16, 2025, is investigating the issue to determine the extent of affected models, given the variability in software and hardware. They plan to release an updated list of impacted models soon. As these routers are no longer supported, users are advised to replace them with newer models that receive regular updates. The vulnerability allows attackers to manipulate DNS settings, potentially redirecting, blocking, or surveilling internet traffic across all connected devices, posing significant risks to organizations still using these outdated routers.

Stay secure — stay Wavasec. 🔐