Overview
- The flaw, tracked as CVE-2026-0625 with a CVSS score of 9.3, enables unauthenticated command injection via the dnscfg.cgi endpoint.
- Active exploitation has been observed in the wild, with Shadowserver recording attempts on November 27, 2025, and the threat actors and scale remain unknown.
- D-Link and VulnCheck confirmed affected EoL models and versions: DSL-526B ≤ 2.01, DSL-2640B ≤ 1.07, DSL-2740R < 1.17, and DSL-2780B ≤ 1.01.14.
- Attackers can modify router DNS settings without credentials, enabling silent redirection or interception of downstream traffic across connected devices.
- No patches will be issued for the listed EoL devices, replacement is advised, and D-Link expects to update the model list following a firmware-level review this week.