Hackers actively exploit critical RCE flaw in legacy D-Link DSL routers

Attackers are exploiting a critical flaw (CVE-2026-0625) in old D-Link DSL routers that allows remote command execution. The vulnerability is due to improper input sanitization in the dnscfg.cgi endpoint, which has led to command injection allowing unauthenticated remote attackers to execute arbitrary shell commands, resulting in remote code execution.

Cybersecurity firm VulnCheck reported on December 16, 2025, that multiple D-Link DSL gateway devices are affected, highlighting issues with firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Active exploitation was detected on November 27, 2025. D-Link has initiated an internal investigation and is reviewing affected models, with an updated list expected soon. Experts recommend immediate replacement of obsolete DSL routers to upgrade to devices receiving security updates.

Read the complete article at Security Affairs.