A critical command injection vulnerability in legacy D-Link DSL routers is being actively exploited by attackers to execute arbitrary commands and hijack DNS settings. The flaw, tracked as CVE-2026-0625 with a CVSS score of 9.3, affects end-of-life devices that will not receive security patches, leaving users with no option but to replace their hardware.

The vulnerability stems from improper input sanitization in the dnscfg.cgi DNS configuration endpoint. Unauthenticated remote attackers can inject and execute arbitrary shell commands on vulnerable devices without requiring any credentials. This enables complete device compromise and the ability to modify DNS settings, allowing attackers to redirect or intercept all network traffic from devices connected to the compromised router.

Affected models include the D-Link DSL-2640B running firmware version 1.07 or earlier, DSL-2740R versions below 1.17, DSL-2780B version 1.01.14 and earlier, and DSL-526B version 2.01 and below. D-Link discontinued support for these routers around early 2020, meaning no firmware patches will be released to address this vulnerability.

Security researchers at VulnCheck reported the vulnerability on December 16, 2025, though the Shadowserver Foundation documented active exploitation attempts beginning as early as November 27, 2025. The attacks demonstrate that threat actors are actively scanning for and exploiting these vulnerable devices in the wild.

Device owners running affected D-Link routers are strongly urged to immediately retire these devices and upgrade to actively supported models that receive regular firmware and security updates. Since patching is not an option for end-of-life hardware, replacement represents the only viable mitigation strategy. Organizations should also audit their networks for any legacy networking equipment that may pose similar risks.