Critical RCE Vulnerability Exploited in Legacy D-Link DSL Routers

D-Link is investigating active attacks against several legacy DSL gateway routers. Attackers are using a critical flaw to take over devices without needing a password. This vulnerability allows hackers to run their own code on the router and gain full control over the network. The Shadowserver Foundation first recorded these exploitation attempts on November 27, 2025.

The flaw is tracked as CVE-2026-0625 (CVSS score 9.3), exists in the dnscfg.cgi endpoint. The software fails to clean up DNS settings provided by users. Because of this, an attacker can send a malicious command that the router then executes. This gives the attacker a way to change DNS settings or install malware without any user interaction. 

Several older models are at risk. Most of these reached their end-of-life in early 2020 and no longer receive security updates from the manufacturer. Affected models include:

• DSL-2640B (version 1.07 and older)
• DSL-2740R (versions before 1.17)
• DSL-2780B (version 1.01.14 and older)
• DSL-526B (version 2.01 and older)

This endpoint is linked to "DNSChanger" behavior. Between 2016 and 2019, attackers used similar bugs to hijack DNS settings. By changing these settings, hackers can silently redirect all web traffic from every device connected to the router to fake or malicious websites. This allows them to steal credentials or intercept sensitive data from any computer or phone on the local network.

D-Link states there is no reliable way to detect the vulnerability without checking the firmware directly. Since these routers are old and not supported, the company recommends replacing them with supported hardware. If you cannot replace them immediately, you should reset the device, set a strong password, and manually set DNS to trusted providers like Google (8.8.8.8) or Cloudflare (1.1.1.1).