A critical remote code execution (RCE) flaw in older D-Link DSL routers has been identified as CVE-2026-0625, with a CVSS v4.0 score of 9.3, indicating a high risk for users who continue to use this hardware. Security researchers have found this vulnerability to be actively exploited, leaving thousands of unprotected devices vulnerable to complete compromise. These legacy devices are extremely vulnerable.
“An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution,” the issued security advisory warns .
The flaw resides in the router’s DNS configuration interface, specifically the dnscfg.cgi endpoint. According to VulnCheck’s January 5 advisory, the issue stems from improper input sanitization. Attackers can exploit this oversight to inject arbitrary shell commands directly through the router’s web interface, without ever having to log in.
The vulnerability affects a specific range of home and small office DSL gateway routers:
This particular component is no stranger to being targeted. The endpoint’s historical ties to known DNSChanger attacks, which occurred between 2016 and 2019, suggest that threat actors are repurposing old tactics to attack aging infrastructure.
The Shadowserver Foundation first detected evidence of active exploitation on November 27, 2025 , months before the wider security community was alerted.
This “zero-day” window allowed attackers to create a botnet of compromised devices or silently manipulate DNS settings to redirect user traffic to malicious sites.
D-Link has declared these models End of Life (EOL) in early 2020. As a result, there are no security patches available or planned. The only solution is to replace the hardware with a modern, supported device . Continuing to use these legacy gateways is like leaving the digital front door wide open.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
