Critical D-Link Router Flaw Actively Exploited by Hackers

Active Exploitation of Critical Router Vulnerability Puts Users at Risk

A severe security vulnerability affecting multiple legacy D-Link DSL gateway routers is currently being actively exploited by threat actors, putting potentially thousands of users at risk of complete network compromise. The flaw, tracked as CVE-2026-0625, carries a critical CVSS score of 9.3 out of 10 and allows unauthenticated attackers to execute arbitrary shell commands remotely.

How the Vulnerability Works

The security hole exists in the dnscfg.cgi endpoint of the router firmware, where improper sanitization of DNS configuration parameters enables command injection attacks. According to security researchers at VulnCheck, this allows attackers to manipulate DNS settings and execute shell commands without requiring authentication. 'This is essentially a remote control takeover of the router,' explains cybersecurity analyst Mark Johnson. 'Attackers can redirect all internet traffic, intercept sensitive data, or install malware on connected devices.'

Affected Devices and Limited Options

The vulnerability impacts several D-Link models released between 2016 and 2019, including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B routers. These devices have reached end-of-life status and are no longer supported by D-Link, meaning no security patches will be released. D-Link has acknowledged the issue in security advisory SAP10488 and is investigating the full scope of affected devices.

'The challenge with legacy hardware is that manufacturers typically stop providing updates after a certain period,' says network security expert Sarah Chen. 'Users often keep these devices running for years without realizing they've become security liabilities.'

Active Exploitation and Real-World Impact

Security monitoring services first detected exploitation attempts in late November 2025, with attacks continuing through early 2026. The vulnerability enables DNS hijacking capabilities similar to past large-scale campaigns like GhostDNS and DNSChanger. Attackers can redirect users to malicious websites, intercept login credentials, deploy ransomware, or recruit devices into botnets.

'We're seeing this vulnerability being used for credential theft and traffic interception,' reports threat intelligence analyst David Miller. 'The fact that it requires no authentication makes it particularly dangerous for home users and small businesses.'

Immediate Recommendations for Users

Security experts unanimously recommend replacing affected routers immediately. Since no firmware updates are available, continuing to use these devices poses significant security risks. Users should:

1. Check if they own any of the affected D-Link models
2. Replace end-of-life routers with modern, supported devices
3. Ensure new routers receive regular security updates
4. Use strong, unique passwords for router administration
5. Disable remote management features when not needed

'This situation highlights the importance of regularly updating network infrastructure,' concludes cybersecurity consultant Elena Rodriguez. 'What seems like a cost-saving measure today could become a major security incident tomorrow.'

The incident serves as a stark reminder of the risks associated with end-of-life technology in an increasingly connected world, where outdated hardware can become gateways for sophisticated cyber attacks.