CVE-2026-0625
Deferred Deferred - Pending Action
Command Injection in D-Link DSL Gateways Enables Remote Code Execution

Publication date: 2026-01-05

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0625
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
d-link dsl-526b 2.01
d-link dsl-2640b 1.07
d-link dsl-2740r 1.17
d-link dsl-2780b 1.01.14
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw in multiple D-Link DSL gateway devices. It exists in the dnscfg.cgi endpoint because it does not properly sanitize user-supplied DNS configuration parameters. This allows an unauthenticated remote attacker to inject and execute arbitrary shell commands on the affected devices, leading to remote code execution.

Impact Analysis

The vulnerability can allow an unauthenticated remote attacker to execute arbitrary commands on the affected D-Link DSL gateway devices. This can lead to full compromise of the device, unauthorized DNS modifications, and potentially allow attackers to control network traffic or launch further attacks within the network.

Mitigation Strategies

Since the affected D-Link DSL gateway devices are end-of-life and end-of-service as of early 2020, immediate mitigation steps include discontinuing use of these vulnerable devices and replacing them with supported hardware. Additionally, restrict network access to the dnscfg.cgi endpoint to prevent unauthenticated remote exploitation. Monitoring for unusual DNS configuration changes may also help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0625. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart