Recently, an exploit has been discovered in older model routers from D-Link (Product Code: DGS-2100) due to a security vulnerability identified with the CVE number CVE-2026-0625 and corresponding CVSS rating of 9.3/10. Basically, if an attacker knows the network configuration of the D-Link routers, they have the ability to inject malicious commands (or code) into the device through the dnscfg.cgi form without needing to authenticate (i.e., via a username and password).
This vulnerability is mostly attributed to a lack of proper input validation at the dnscfg.cgi form during the configuration process prior to setting up DNS services.
"An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution," VulnCheck warned. The affected endpoint also facilitates unauthenticated DNS modification, previously documented by D-Link under “DNSChanger” campaigns targeting models from 2016–2019.
Affected Models (Legacy Firmware)
1. DSL-2640B ≤ 1.07
2. DSL-2740R < 1.17
3. DSL-2780B ≤ 1.01.14
4. DSL-526B ≤ 2.01
Most of these products are now considered end-of-life and have no updates or patches available for them; therefore, it is highly recommended that you upgrade to a supported product. On November 27, 2025, the Shadowserver Foundation documented the first attempted exploitation of these devices.
Cybersecurity Impact
Exploitation allows attackers to:
1. Execute arbitrary shell commands remotely
2. Modify DNS entries silently, redirecting or intercepting traffic
3. Compromise all devices behind the affected router persistently
"CVE-2026-0625 exposes the same DNS mechanism exploited in previous large-scale hijacking campaigns," said Field Effect. “Because the impacted DSL models are EoL and unpatchable, continuing to operate them poses elevated operational risk.”
D-Link has initiated an internal investigation and plans to publish an updated model list after firmware-level reviews. Meanwhile, users are urged to replace legacy DSL routers with actively supported devices to mitigate risk.
Source: The Hacker News