CVE-2026-0625
Command Injection in D-Link DSL Gateways Enables Remote Code Execution

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: VulnCheck

Description
Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Affected Vendors & Products
Vendor Product Version
d-link dsl-526b 2.01
d-link dsl-2640b 1.07
d-link dsl-2740r 1.17
d-link dsl-2780b 1.01.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a command injection flaw in multiple D-Link DSL gateway devices. It exists in the dnscfg.cgi endpoint because it does not properly sanitize user-supplied DNS configuration parameters. This allows an unauthenticated remote attacker to inject and execute arbitrary shell commands on the affected devices, leading to remote code execution.


How can this vulnerability impact me? :

The vulnerability can allow an unauthenticated remote attacker to execute arbitrary commands on the affected D-Link DSL gateway devices. This can lead to full compromise of the device, unauthorized DNS modifications, and potentially allow attackers to control network traffic or launch further attacks within the network.


What immediate steps should I take to mitigate this vulnerability?

Since the affected D-Link DSL gateway devices are end-of-life and end-of-service as of early 2020, immediate mitigation steps include discontinuing use of these vulnerable devices and replacing them with supported hardware. Additionally, restrict network access to the dnscfg.cgi endpoint to prevent unauthenticated remote exploitation. Monitoring for unusual DNS configuration changes may also help detect exploitation attempts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart
Meta Information
CVE Publication Date:
2026-01-05
CVE Last Modified Date:
2026-01-05
Report Generation Date:
2026-02-10
AI Powered Q&A Generation:
2026-01-06
EPSS Last Evaluated Date:
2026-02-09
NVD Report Link: