An OS command injection vulnerability in discontinued D-Link gateway devices has been exploited in the wild as a zero-day.
Tracked as CVE-2026-0625 (CVSS score of 9.3), the security defect exists because the dnscfg.cgi library does not properly sanitize user-supplied DNS configuration parameters.
The issue allows remote, unauthenticated attackers to inject and execute arbitrary shell commands, achieving remote code execution (RCE), vulnerability intelligence company VulnCheck explains.
“The affected endpoint is also associated with unauthenticated DNS modification (DNSChanger) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019,” VulnCheck says.
Based on data from The Shadowserver Foundation, CVE-2026-0625 has been exploited in the wild since late November 2025, the vulnerability intelligence firm notes.
According to D-Link, the exploited zero-day impacts multiple device models. However, variations in firmware implementations make it difficult to compile a list of vulnerable appliances.
“D-Link continues a detailed firmware-level review to determine affected devices. An updated list of specific models and, where applicable, firmware versions under review will be published later this week,” the vendor notes in an advisory.
The confirmed vulnerable models, D-Link says, are legacy DSL gateway appliances that were discontinued half a decade ago.
“All confirmed findings to date point to legacy DSL gateway products that reached End of Life or End of Support more than five years ago. These products no longer receive firmware updates, security patches, or active engineering maintenance,” the company explains.
No patch will be released for the zero-day and the owners of the vulnerable D-Link products should retire them and replace them with supported models, the company says.
There does not appear to be any information on the attacks exploiting CVE-2026-0625, but compromised D-Link networking devices can be abused by threat actors for various purposes, including DDoS attacks, proxy services, traffic interception and redirection, and lateral movement.
Related: D-Link Warns of RCE Vulnerability in Legacy Routers
Related: Organizations Warned of Vulnerability Exploited Against Discontinued TP-Link Routers
Related: Critical Condition: Legacy Medical Devices Remain Easy Targets for Ransomware
Related: Unpatched Flaw in Legacy D-Link NAS Devices Exploited Days After Disclosure
