CVE-2026-0625 is a critical vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting the D-Link DSL-2640B and potentially other related DSL/DIR/DNS devices. The vulnerability resides in the dnscfg.cgi endpoint, which manages DNS configuration on the device. Due to improper access control, this endpoint can be accessed without any authentication, allowing an attacker to modify DNS settings remotely. This enables DNS hijacking attacks, where user traffic can be redirected to attacker-controlled servers, facilitating man-in-the-middle attacks, phishing, malware distribution, or data exfiltration. The vulnerability was exploited in the past by the GhostDNS malware ecosystem, which targeted consumer and carrier-grade routers to manipulate DNS settings for malicious purposes. The affected devices have been designated end-of-life and no longer receive security patches, increasing the risk for users who continue to operate them. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Evidence of exploitation was observed by Shadowserver Foundation in late 2025, confirming active threat. Since no patches are available, mitigation options are limited to device replacement or network-level protections. This vulnerability poses a significant risk to any organization relying on these devices for internet connectivity or DNS resolution.

For European organizations, exploitation of CVE-2026-0625 can lead to severe consequences including interception and redirection of network traffic, enabling attackers to conduct phishing, credential theft, malware delivery, and data exfiltration. The compromise of DNS settings undermines trust in network communications and can disrupt business operations by redirecting users to malicious sites or causing denial of service. Carrier-grade and consumer routers affected by this vulnerability are often deployed in home offices, small businesses, and some enterprise edge networks, increasing the attack surface. The lack of vendor support and patches means that vulnerable devices remain exposed, especially in environments where device replacement is delayed due to cost or operational constraints. This can lead to prolonged exposure to DNS hijacking campaigns, potentially affecting sensitive data and critical infrastructure. Additionally, the use of these devices in ISP networks or by managed service providers in Europe could amplify the impact through widespread DNS manipulation.

Since no patches or firmware updates are available for the affected D-Link DSL-2640B and related devices, European organizations should prioritize immediate replacement of these devices with supported models that enforce proper authentication controls. Network administrators should implement network-level DNS filtering and monitoring to detect and block unauthorized DNS configuration changes. Deploying DNS security extensions (DNSSEC) and using trusted DNS resolvers can mitigate the impact of DNS hijacking. Organizations should audit their network infrastructure to identify any legacy or end-of-life D-Link devices and remove them from critical network segments. Employing network segmentation and strict access controls can limit exposure. Continuous monitoring for anomalous DNS traffic and configuration changes is essential. For ISPs and carriers, updating customer premises equipment (CPE) and providing guidance to end users about device replacement is critical. Incident response plans should include procedures for detecting and responding to DNS hijacking attempts.