Critical RCE Vulnerability in Legacy D-Link DSL Router Models Requires Device Replacement
Published
Key Takeaways
- No fix: A critical RCE vulnerability in legacy D-Link DSL routers can only be mitigated by replacing the affected devices.
- Unpatched Risks: These gateways are End-of-Life (EOL), so the vendor is unlikely to release security patches.
- System Takeover: Successful exploitation allows attackers to execute arbitrary code, potentially recruiting devices into malicious botnets.
A specific Remote Code Execution (RCE) vulnerability in legacy D-Link DSL routers allows an unauthenticated remote attacker to inject and execute arbitrary commands on the target device. Because the vulnerability resides in the router's firmware, successful manipulation grants the attacker root-level access.
This level of control enables threat actors to modify device settings, intercept network traffic, or install malware, effectively turning the router into a node in a distributed denial-of-service (DDoS) botnet.
Legacy Router Security
Shadowserver Foundation observed evidence of attackers exploiting this flaw on November 27, 2025, affecting devices declared EOL in 2020. This command injection vulnerability in the dnscfg.cgi endpoint stems from improper sanitization of user-supplied DNS configuration parameters.
The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior that D-Link documented, which reported active exploitation campaigns from 2016 through 2019 that targeted firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models.
It is now affecting:
- DSL-526B <= 2.01
- DSL-2640B <= 1.07
- DSL-2740R < 1.17
- DSL-2780B <= 1.01.14
The targeted devices have reached End-of-Life (EOL), posing a significant challenge to the security of legacy routers. When a product reaches EOL, the manufacturer ceases technical support and software development, leaving users permanently exposed to exploitation.
Recommended Mitigation Strategies
This vulnerability, tracked as CVE-2026-0625, will most probably not be patched. The primary recommendation for organizations and individuals using these legacy D-Link DSL routers is to replace the hardware immediately and migrate to actively supported devices that receive regular firmware updates.
In November, a new Mirai variant, ShadowV2, targeted vulnerable IoT devices to create a botnet for DDoS attacks. Two months earlier, a critical TP-Link zero-day exposed millions of routers to full system takeover.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular