Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers

Parkinsond

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,051
14,221
6,069
Content source
https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html
The vulnerability, tracked as CVE-2026-0625 (CVSS score: 9.3), concerns a case of command injection in the "dnscfg.cgi" endpoint that arises as a result of improper sanitization of user-supplied DNS configuration parameters.

"CVE-2026-0625 exposes the same DNS configuration mechanism leveraged in past large-scale DNS hijacking campaigns," Field Effect said. "The vulnerability enables unauthenticated remote code execution via the dnscfg.cgi endpoint, giving attackers direct control over DNS settings without credentials or user interaction."

"Once altered, DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise affecting every device behind the router.

thehackernews.com

Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers

A critical flaw in legacy D-Link DSL routers lets unauthenticated attackers run commands and hijack DNS, with active exploitation reported.
thehackernews.com thehackernews.com
Click to expand...
 
  • Like
Reactions: Brownie2019, cartaphilus, Sampei.Nihira and 1 other person
Can using DoH in browser settings bypass such a change in DNS settings on the router level?
 
Recommendation / Remediation

Do not attempt to patch or configure these devices.

Affected Models

DSL-2640B

DSL-2740R

DSL-2780B

DSL-526B

Immediate Replacement
The affected models are EOL (End-of-Life). Replace the hardware immediately with a supported router from a reputable vendor.

Physical Disconnect
Remove the vulnerable D-Link router from both the power and the internet immediately to stop active exploitation.

Post-Incident Review
If you were using one of these models.

Assume all local network traffic was potentially monitored.

Rotate Wi-Fi passwords and administrative credentials for other devices on the network.

Check local devices for signs of lateral movement or suspicious background processes.

References

CVE-2026-0625
Command Injection in D-Link DSL Routers

NVD/VulnCheck
Unauthenticated RCE in dnscfg.cgi
 
DSL that's a name I haven't heard in a LOOONG time! Using VPN would bypass the internal DNS but only if the VPN client was setup to route all traffic through VPN without any leaks. I.e. a VPN firewall mode where anything not going through VPN is denied access.

Seeing the age of the devices I would assume the folks that are still employing that technology are the same ones who fall for Gift Card based IRS/Tech Support scams ie the elderly.

I do not think those routers support DOH by default firmware; of course if you are running dd-wrt or any other 3rd party firmware then you should be safe since I do not think that firmware falls victim to the same exploit.
 
  • Hundred Points
  • Like
Reactions: Brownie2019, ProblematicPions, Zero Knowledge and 1 other person
Parkinsond said:
I'm still on ADSL (not even VDSL) 🙋‍♂️

What about browser DoH? can bypass router DNS hijacking?
Click to expand...
I apologize for consequently calling you elderly.

I am 99 going 300.

Since browser DoH encrypts the requests and sends them directly to the DNS provider then I do not see why it should fall victim to this; but now you are 100% relaying on the fact that your browser always routes through DoH (worse if you use more than one browser type). Of course browser DoH is disabled in majority of corporations due to enterprise DNS bypass method and malware bypass method.
 
  • Wow
  • Like
  • +Reputation
Reactions: ProblematicPions, Zero Knowledge and Parkinsond
You must log in or register to reply here.

You may also like...