The vulnerability CVE-2026-0625 is a critical remote code execution flaw discovered in legacy D-Link DSL gateway routers, specifically models DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, produced between 2016 and 2019. The root cause is a command injection vulnerability in the dnscfg.cgi endpoint, which handles DNS configuration parameters without proper input sanitization. This allows an unauthenticated remote attacker to inject arbitrary shell commands, leading to full remote code execution on the device. The exploitation vector requires no authentication or user interaction, making it highly accessible to attackers scanning for vulnerable devices. The vulnerability enables attackers to alter DNS settings, effectively hijacking DNS traffic to redirect, intercept, or block communications for all downstream devices connected to the compromised router. This can facilitate persistent man-in-the-middle attacks, data interception, and malware distribution. The affected routers have reached end-of-life status, and no official patches are available, complicating remediation efforts. Active exploitation campaigns were detected by Shadowserver Foundation in late 2025, indicating real-world threat activity. D-Link is conducting a firmware-level review to identify all impacted models, but detection is challenging due to firmware variations. The vulnerability leverages a previously known DNSChanger attack vector, emphasizing the risk of large-scale DNS hijacking campaigns. Organizations still operating these legacy devices face elevated operational and security risks due to the inability to patch or secure these routers effectively.

For European organizations, this vulnerability poses a severe threat to network security and data confidentiality. Compromised routers can silently redirect or intercept all DNS queries, enabling attackers to conduct phishing, credential theft, malware distribution, and espionage without detection. The persistence of the compromise affects all devices behind the router, including critical infrastructure, enterprise networks, and home offices. Given the end-of-life status of the affected devices, organizations cannot rely on vendor patches, increasing exposure duration. The impact extends to operational disruption if attackers manipulate DNS to block access to essential services or redirect traffic to malicious sites. Sensitive sectors such as finance, healthcare, government, and telecommunications are particularly at risk due to the potential for data breaches and service interruptions. The ease of exploitation and unauthenticated access heighten the threat level, potentially enabling widespread attacks across Europe where these legacy D-Link models remain in use. Additionally, the ability to control DNS settings can facilitate further lateral movement and compromise within corporate networks.

Organizations should immediately inventory their network infrastructure to identify any legacy D-Link DSL routers, particularly models DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B. Given the lack of available patches, the primary mitigation is to retire and replace these devices with actively supported routers that receive regular security updates. Where immediate replacement is not feasible, network segmentation should be implemented to isolate vulnerable routers from critical systems and sensitive data. Employ DNS security measures such as DNSSEC and monitoring for anomalous DNS traffic to detect potential hijacking attempts. Deploy network intrusion detection systems (NIDS) with signatures targeting exploitation attempts of CVE-2026-0625. Enforce strict access controls on router management interfaces and disable remote management if not required. Regularly monitor threat intelligence feeds and vendor advisories for updates on detection and mitigation tools. Educate IT staff and end users about the risks of compromised DNS infrastructure and signs of DNS hijacking. Finally, consider deploying endpoint security solutions capable of detecting malicious network redirections and man-in-the-middle attacks.