Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers

The newly disclosed CVE‑2026‑0625 exploits a classic command‑injection weakness in the dnscfg.cgi CGI script used by several D‑Link DSL gateway models. By sending crafted DNS configuration parameters, an unauthenticated attacker can execute arbitrary shell commands on the router’s underlying Linux kernel. The flaw stems from insufficient input sanitisation, a problem that persists across multiple firmware revisions released between 2016 and 2019. Because the vulnerable code resides in a core networking component, the impact spans all traffic passing through the device, making it a high‑value target for threat actors seeking broad network control.

Threat intelligence feeds, including Shadowserver’s November 2025 alerts, confirm that exploitation attempts are already in the wild. The attack chain typically modifies DNS resolver entries, redirecting user traffic to malicious servers without any user interaction. This mirrors earlier large‑scale DNS hijacking campaigns that leveraged similar router weaknesses, amplifying the risk of credential theft, ransomware delivery, and espionage. While the identity of the actors remains unknown, the public nature of the exploit code raises the likelihood of opportunistic abuse, especially against organizations that continue to run legacy DSL equipment in remote sites or IoT deployments.

Mitigation hinges on device retirement and migration to modern, supported routers that receive regular security updates. For environments where replacement is not immediately feasible, network segmentation, strict outbound DNS filtering, and monitoring for anomalous DNS queries can reduce exposure. The episode underscores the broader industry challenge of managing end‑of‑life hardware; vendors must provide clear deprecation pathways and customers should enforce lifecycle policies to avoid similar blind‑spot vulnerabilities in the future.