Attackers have been actively exploiting a critical command injection vulnerability in multiple end-of-life D-Link router and NAS product lines since at least November 2025. The flaw, tracked as CVE-2026-0625 with a CVSS score of 9.3, requires no authentication and gives remote attackers full shell access on the device. The vendor will not issue patches because all affected hardware reached end-of-life in 2020.
What the Vulnerability Is
CVE-2026-0625 is a command injection vulnerability in the dnscfg.cgi endpoint โ the CGI handler that processes DNS server configuration changes on affected D-Link devices. The endpoint accepts user-supplied DNS server parameters (primary and secondary DNS addresses) and passes them to underlying system calls without adequate sanitization or validation.
Because the CGI endpoint is accessible without authentication on affected firmware versions, an unauthenticated remote attacker can craft a malicious HTTP request that embeds shell metacharacters alongside the DNS parameter values. The embedded commands are executed with the privileges of the CGI process, which typically runs as root on these consumer-grade devices.
The attack surface is entirely pre-auth and reachable over the LAN-side web interface, and in many deployments, also via the WAN interface due to misconfiguration or ISP-supplied firmware defaults that expose the management UI externally.
Affected Devices
VulnCheck, the firm that discovered and reported the vulnerability to D-Link on December 16, 2025, identified a broad product family affected across three D-Link hardware lines:
DSL gateway devices: DSL-500, DSL-500G, DSL-502G, DSL-526B, DSL-2640B, DSL-2640T, DSL-2740R, DSL-2780B
DIR wireless routers: DIR-600, DIR-608, DIR-610, DIR-611, DIR-615, DIR-905L
DNS NAS devices: DNS-320, DNS-325, DNS-345
All of these products were declared end-of-life by D-Link in early 2020. The vendor has confirmed no firmware updates are forthcoming and is recommending immediate device replacement.
How Exploitation Works
The dnscfg.cgi handler on these devices processes POST requests to configure DNS resolver settings. A legitimate request to change the primary DNS server looks roughly like:
| |
An attacker exploiting CVE-2026-0625 injects shell commands into the dns1 or dns2 parameter using standard Unix command-substitution syntax. Because the CGI script passes these values to a shell interpreter without proper escaping, commands appended via ;, `, or $() constructs are executed directly by the router’s shell.
Shadowserver Foundation first captured exploitation attempts on November 27, 2025 โ nearly three weeks before VulnCheck disclosed the issue to D-Link. This means the technique was already in active criminal use before defenders had any chance to respond. VulnCheck noted that the specific exploitation technique observed by Shadowserver had not been publicly documented prior to that discovery, indicating the attackers had independently reverse-engineered the vulnerability.
What Attackers Are Doing With It
Post-exploitation activity on compromised D-Link devices follows well-worn patterns for router-targeting malware. The Shadowserver data and VulnCheck’s research connect CVE-2026-0625 exploitation to the GhostDNS and DNSChanger malware ecosystems โ large-scale DNS hijacking operations that have been documented since at least 2019, when Netlab reported over 100,000 compromised routers in a single campaign.
Once an attacker achieves RCE, typical payloads include:
- DNS resolver replacement: Changing the device’s upstream DNS settings to attacker-controlled resolvers, enabling man-in-the-middle interception of all DNS queries made by hosts on the network. This silently redirects banking, email, and cloud service traffic to phishing infrastructure without any client-side indicators.
- Persistent backdoor installation: Dropping a lightweight daemon or adding a cron job that survives reboots and beacons out to a C2 infrastructure.
- Botnet enrollment: Adding the device to a DDoS-for-hire or proxy network. EoL consumer routers with always-on connectivity and minimal security tooling are highly valued as botnet nodes because they resist cleanup and are rarely monitored.
- Lateral movement staging: Using the compromised router as a pivot point into the LAN segment it bridges, reaching internal hosts that would otherwise be unreachable from the internet.
Why This Is Particularly Hard to Mitigate
The EoL status is the core problem. D-Link has been explicit: no patches will be issued for any affected device. This leaves network operators and home users with a device that is permanently vulnerable and actively targeted, with no software-side remediation path.
Several factors compound the exposure:
Widespread deployment: DSL-26xx and DIR-6xx series devices were distributed broadly by ISPs in North America, Latin America, Asia-Pacific, and Europe as CPE (customer-premises equipment) throughout the 2010s. Many remain in active use, either because end users have never replaced them or because ISPs have not forced upgrades on their subscriber base.
WAN exposure by default: ISP-provisioned firmware variants for many of these models enable remote management over the WAN interface by default. This makes the CGI endpoint reachable from the public internet without any attacker needing LAN access first.
No telemetry on the device: These devices produce no meaningful security logs and are not integrated into any EDR or SIEM. Compromise is effectively invisible to the device owner.
What You Should Do
If you operate or manage networks where these devices are present:
The only fully effective remediation is device replacement. D-Link itself recommends this. Any device in the affected list should be treated as untrustworthy and replaced with a supported model that receives firmware updates.
If immediate replacement is not possible:
- Disable remote management on the WAN interface. This eliminates the most dangerous attack vector (internet-reachable CGI endpoints). Most devices expose this under
Advanced โ Remote Managementor equivalent. - Place the device behind a firewall that blocks inbound connections to TCP 80 and TCP 443 from untrusted sources. This does not prevent LAN-side exploitation but removes public reachability.
- Monitor DNS resolution behavior from hosts behind the router. Unexpected DNS server changes or traffic to unfamiliar resolver IPs are strong indicators of compromise.
- Check your router’s current DNS settings against what your ISP assigned. Unauthorized changes to
8.8.x.x,1.1.x.x, or any IP you did not set yourself should be treated as an incident.
Indicators of Compromise:
- DNS settings on the router changed without admin action
- Outbound connections from the router to unusual IPs on non-standard ports
- Hosts behind the router experiencing certificate errors on HTTPS sites (indicative of TLS interception via DNS hijacking)
- Unexpected processes running on the device (accessible via Telnet if enabled)
Timeline
| Date | Event |
|---|---|
| Nov 27, 2025 | Shadowserver Foundation records first exploitation attempts in the wild |
| Dec 16, 2025 | VulnCheck reports active exploitation to D-Link |
| Early 2026 | D-Link confirms no patch will be issued; recommends device retirement |
| April 2026 | Exploitation ongoing; GhostDNS-linked activity continues |
The gap between Shadowserver’s first observation and VulnCheck’s disclosure to the vendor underscores a recurring dynamic with EoL hardware: attackers develop and deploy exploits for abandoned devices precisely because there is no coordinated disclosure process that results in a patch โ only a vendor statement recommending replacement that most users will never see.
Sources:
- VulnCheck Advisory: D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint
- Dark Reading: Attackers Exploit Zero-Day in End-of-Life D-Link Routers
- SecurityWeek: Hackers Exploit Zero-Day in Discontinued D-Link Devices
- BleepingComputer: New D-Link flaw in legacy DSL routers actively exploited in attacks
- D-Link Security Advisory SAP10488