- CVE-2026-0625, a critical command injection flaw (9.3/10), is being actively exploited on legacy D-Link gateway routers
- Vulnerable models include DSL-2740R, DSL-2640B, DSL-2780B and DSL-526B, with attacks observed since November 2025.
- Researchers urge replacing unsupported devices, as compromised routers can enable RCE, credential theft, ransomware, and botnet activity.
D-Link has confirmed that some of its gateway routers, which reached end-of-life (EoL) status years ago, are being exploited in the wild.
Earlier this week, security researchers at VulnCheck announced that they had found a command injection vulnerability due to improper sanitization of user-supplied DNS configuration parameters. The bug is tracked as CVE-2026-0625 and has a severity score of 9.3/10 (critical).
It allows unauthenticated threat actors to inject and execute arbitrary shell commands remotely, opening the doors to a wide variety of different attack types.
Replacement of obsolete equipment
“The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 to 2019,” VulnCheck said in its advisory.
He also said that the ShadowServer Foundation found evidence of attacks dating back to November 27, 2025.
In response to the findings, D-Link said it was investigating the matter, adding that it is difficult to determine all affected models, given how firmware is implemented across product generations. It said it would soon publish a full list of affected models.
“The current analysis does not show any reliable method of model number detection beyond direct inspection of the firmware,” D-Link said. “For this reason, D-Link is validating firmware versions on legacy and supported platforms as part of the investigation.”
Currently, there is no information about the attackers or possible victims. Security researchers urge users to replace unsupported devices with newer models, keep them up to date with the latest patches, and defend their installations with firewalls, passwords, and multi-factor authentication (MFA) whenever possible.
In an SMB environment, an RCE-vulnerable gateway router allows attackers to take full control of the network entry point. They can intercept and redirect traffic, steal credentials, deploy malware, and spy on internal communications. From the router, threat actors can enter internal systems, search for vulnerable servers or endpoints, launch ransomware, or create a persistent backdoor.
These routers are also sometimes used as botnet nodes, proxy servers, and C2 infrastructure.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
