CVE-2026-0625: Critical RCE in Legacy D-Link Routers Is Being Actively Exploited — No Patch Coming
A CVSS 9.3 command-injection flaw in discontinued D-Link DSL gateway models is being exploited in the wild for remote code execution and botnet recruitment. D-Link has confirmed it will never release a patch. If you have one of these devices, replace it now.
CVE-2026-0625 is a CVSS 9.3 command-injection vulnerability in the dnscfg.cgi endpoint of several discontinued D-Link DSL gateway models. Attackers are actively exploiting it in the wild for unauthenticated remote code execution and botnet recruitment. D-Link has confirmed no patch will ever be released. If you have an affected device on a network that touches anything important, replace it.
Affected models: DSL-2740R, DSL-2640B, DSL-2780B, DSL-526B. All are end-of-life devices running firmware from 2016–2019 that D-Link stopped supporting five or more years ago.
What the vulnerability does: The router’s DNS configuration handler fails to sanitize user input before passing it to shell commands. An unauthenticated attacker on the network (or via WAN if the admin interface is exposed) can inject arbitrary shell commands by crafting a malformed DNS server parameter. No credentials required. Exploitation takes seconds.
What attackers are doing with it: Security researchers tracking the active exploitation campaigns report that compromised routers are being drafted into botnets — likely for DDoS amplification and credential-stuffing proxy networks. DNS hijacking is also a documented outcome: attackers modify the router’s DNS settings to redirect legitimate traffic to malicious servers, enabling phishing and man-in-the-middle attacks on every device on the network.
The fix: There is no firmware patch and there will never be one. D-Link’s official guidance is to retire the affected device and replace it with a currently-supported model. If you must keep the device temporarily, disable WAN-side management access, put the router behind another firewall, and segment it from critical network resources. These mitigations reduce exposure but do not eliminate it — the vulnerability is exploitable from LAN as well.
How to check: Log into your router’s admin panel and look for the model number. If it matches DSL-2740R, DSL-2640B, DSL-2780B, or DSL-526B, you are vulnerable. Run a quick scan of your network with Shodan or your preferred tool to confirm whether the admin interface is exposed to the internet.
The broader lesson is one the security industry has failed to learn: millions of end-of-life devices remain online, connected to home and small-business networks, with no update mechanism and no vendor support. CVE-2026-0625 has been under active exploitation since at least November 2025 — over four months of unpatched exposure on devices people assume their ISPs keep secure.
ISPs that distributed these devices as part of broadband packages have an unaddressed obligation here. In several markets, the affected D-Link models were ISP-supplied hardware. Customers never chose them, cannot easily identify them as a security risk, and have no obvious path to replacement. That is a structural problem that CVE numbering alone cannot fix.
For network administrators and security teams: audit your edge devices. Anything running on firmware from 2019 or earlier with no active vendor support should be treated as compromised until replaced.