Active Exploitation of Critical RCE in Legacy D-Link DSL Routers

Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers

A critical vulnerability (CVE-2026-0625) in D-Link DSL routers allows unauthenticated attackers to execute arbitrary commands and modify DNS settings. The flaw, affecting models from 2016-2019, has a CVSS score of 9.3 and was observed being actively exploited as of November 27, 2025.

Why This Matters

Ideal network security models assume timely patching and vendor support, but many devices reach end-of-life before vulnerabilities are addressed. This vulnerability impacts routers that are no longer receiving updates, leaving users exposed to DNS hijacking and remote control of their network. The potential scale of compromise is significant, as successful exploitation can redirect all traffic from affected networks, leading to data breaches or widespread outages.

Key Insights

• CVE-2026-0625 detection: Shadowserver Foundation reported exploitation attempts on November 27, 2025.
• Root cause: Improper sanitization of DNS configuration parameters in the “dnscfg.cgi” endpoint allows command injection.
• End-of-life impact: Many affected models reached end-of-life as early as 2020, meaning no security updates are available.

Practical Applications

• Use Case: A malicious actor could redirect users to phishing sites by altering DNS records on compromised routers.
• Pitfall: Continuing to use end-of-life hardware creates significant security risks due to the lack of vendor support and security updates.

References:

• https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html