CVE-2026-0625 is a critical security vulnerability categorized under CWE-306 (Missing Authentication for Critical Function) found in multiple D-Link router models, notably the DSL-2640B. The vulnerability exists in the dnscfg.cgi endpoint of the device's web interface, which improperly enforces authentication and access controls. This flaw allows an unauthenticated remote attacker to directly access and modify the device’s DNS configuration settings. By exploiting this, attackers can perform DNS hijacking attacks, redirecting user traffic to attacker-controlled domains and infrastructure, facilitating phishing, malware distribution, or man-in-the-middle attacks. The vulnerability was actively exploited by the GhostDNS malware ecosystem in 2019, targeting consumer and carrier-grade routers. Despite the affected devices being designated end-of-life with no security patches available, exploitation evidence was observed as recently as November 2025 by the Shadowserver Foundation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A) reflects a network-exploitable, no authentication required, no user interaction vulnerability with high impact on confidentiality, integrity, and availability. The lack of vendor patches and ongoing exploitation highlight the persistent risk posed by legacy D-Link devices still in operation worldwide.

The impact of CVE-2026-0625 is severe for organizations and individuals using affected D-Link routers. Successful exploitation allows attackers to hijack DNS settings, redirecting all user traffic through malicious servers. This can lead to widespread phishing attacks, credential theft, malware infections, and interception of sensitive communications. For ISPs and carriers deploying these devices at scale, the vulnerability could enable large-scale traffic manipulation and espionage. The absence of authentication and ease of exploitation mean attackers can compromise devices remotely without user interaction, increasing the attack surface. Since the affected devices are end-of-life and unpatched, organizations cannot remediate via firmware updates, raising the risk of persistent compromise. This undermines network trust, data confidentiality, and availability of internet services, potentially causing reputational damage and financial losses.

Given the lack of available patches for affected D-Link devices, the primary mitigation is to replace all impacted routers with supported, updated hardware that enforces proper authentication controls. Network administrators should immediately audit their infrastructure to identify any legacy D-Link DSL/DIR/DNS devices, especially DSL-2640B models. Until replacement, organizations should implement network-level DNS filtering and monitoring to detect and block unauthorized DNS configuration changes or suspicious DNS traffic. Employing DNSSEC validation can help mitigate DNS hijacking impacts. Segmentation of management interfaces away from untrusted networks and disabling remote management features can reduce exposure. Additionally, monitoring for indicators of compromise related to GhostDNS or similar malware activity is advised. Users should be educated about phishing risks stemming from DNS hijacking. Finally, organizations should engage with ISPs and vendors to ensure legacy device phase-out plans are accelerated.