- CVE-2026-0625, a critical command injection flaw (9.3/10), is being actively exploited in older D-Link gateway routers
- Vulnerable models include DSL-2740R, DSL-2640B, DSL-2780B and DSL-526B, with attacks observed since November 2025
- Researchers urge replacing unsupported devices as compromised routers can enable RCE, credential theft, ransomware and botnet activity
D-Link has confirmed that some of its gateway routers, which reached end-of-life (EoL) status years ago, are being exploited in the wild.
Earlier this week, security researchers from VulnCheck announced that they found a command injection vulnerability due to improper sanitization of user-supplied DNS configuration parameters. The bug is tracked as CVE-2026-0625 and has a severity score of 9.3/10 (Critical).
It allows unauthorized threat actors to inject and execute arbitrary shell commands remotely, opening the doors to a myriad of different attack types.
Replacement of obsolete gear
“The affected endpoint is also associated with unauthorized DNS modification behavior (‘DNSChanger’) documented by D-Link, which reported active exploitation campaigns targeting firmware variants of DSL-2740R, DSL-2640B, DSL-2780B and DSL-526B models from 20196,” VulnCheck said in its alert.
It also said the ShadowServer Foundation found evidence of attacks dating back to November 27, 2025.
In response to the findings, D-Link said it was investigating the matter, adding that it is difficult to determine all the affected models given how firmware is deployed across product generations. It said it would soon release a full list of affected models.
“Current analysis shows no reliable method of detecting the model number beyond direct firmware inspection,” D-Link said. “For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation.”
At the moment, there is no information about the attackers or about potential victims. Security researchers encourage users to replace unsupported devices with newer models, to keep them updated with the latest patches, and to defend their premises with firewalls, passwords, and multi-factor authentication (MFA) where possible.
In an SMB environment, a gateway router vulnerable to RCE allows attackers to take full control of the network entry point. They can intercept and redirect traffic, steal credentials, deploy malware, and spy on internal communications. From the router, threat actors can move into internal systems, scan for vulnerable servers or endpoints, launch ransomware or create a persistent backdoor.
Such routers are also sometimes used as botnet nodes, proxies, and C2 infrastructure.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
