- CVE-2026-0625, a critical command injection vulnerability (9.3/10), is actively exploited in older D-Link gateway routers.
- Vulnerable models include DSL-2740R, DSL-2640B, DSL-2780B and DSL-526B, with attacks observed since November 2025.
- Researchers recommend replacing unsupported devices because compromised routers can enable RCE, credential theft, ransomware, and botnet activity.
D-Link has confirmed that some of its gateway routers, which reached end-of-life (EoL) status years ago, are being exploited in the wild.
Earlier this week, security researchers at VulnCheck announced that they had discovered a command injection vulnerability due to improper sanitization of user-supplied DNS configuration settings. The bug is tracked as CVE-2026-0625 and has a severity score of 9.3/10 (critical).
It allows unauthenticated malicious actors to inject and execute arbitrary shell commands remotely, opening the door to a myriad of different attack types.
Replacement of obsolete equipment
“The affected endpoint is also associated with unauthenticated DNS changing (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 to 2019,” VulnCheck said in its advisory.
It also states that the ShadowServer Foundation found evidence of attacks dating back to November 27, 2025.
In response to the findings, D-Link said it was investigating the matter and added that it was difficult to determine all affected models, given how firmware is implemented across product generations. It said it would soon release a full list of affected models.
“Current analysis shows no reliable method of model number detection beyond direct firmware inspection,” D-Link said. “For this reason, D-Link is validating firmware versions on existing and supported platforms as part of the investigation.”
Currently, there is no information on the attackers or potential victims. Security researchers urge users to replace unsupported devices with newer models, keep them up to date with the latest patches, and defend their premises with firewalls, passwords, and multi-factor authentication (MFA) whenever possible.
In an SMB environment, a gateway-router vulnerable to RCE allows attackers to take full control of the network entry point. They can intercept and redirect traffic, steal credentials, deploy malware, and spy on internal communications. From the router, malicious actors can access internal systems, scan for vulnerable servers or endpoints, launch ransomware, or create a persistent backdoor.
These routers are also sometimes used as botnet nodes, proxies, and C2 infrastructure.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
