Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago.

The vulnerability is now tracked as CVE-2026-0625 and affects the dnscfg.cgi endpoint due to improper input sanitization in a CGI library. An unauthenticated attacker could leverage this to execute remote commands via DNS configuration parameters.

Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots.

VulnCheck told BleepingComputer that the technique captured by Shadowserver does not appear to have been publicly documented.

"An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution," VulnCheck says in the security advisory.

In collaboration with VulnCheck, D-Link confirmed the following device models and firmware versions to be affected by CVE-2026-0625:

• DSL-526B ≤ 2.01
• DSL-2640B ≤ 1.07
• DSL-2740R < 1.17
• DSL-2780B ≤ 1.01.14

The above have reached end-of-life (EoL) since 2020 and will not receive firmware updates to address CVE-2026-0625. Hence, the vendor strongly recommends retiring and replacing the affected devices with supported models.

D-Link is still trying to determine if any other products are impacted by analyzing various firmware releases.

"Both D-Link and VulnCheck face complexity in precisely identifying all impacted models due to variations in firmware implementations and product generations," D-Link explains.

"Current analysis shows no reliable model number detection method beyond direct firmware inspection. For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation," says the vendor.

Currently, it is unclear who is exploiting the vulnerability and against what targets. However, VulnCheck says that most consumer router setups allow only LAN access to administrative Common Gateway Interface (CGI) endpoints such as dnscfg.cgi.

Exploiting CVE-2026-0625 would imply a browser-based attack or a target device configured for remote administration.

Users of end-of-life (EoL) routers and networking devices should replace them with models that are actively supported by the vendor or deploy them in non-critical networks, preferably segmented, using the latest available firmware version and restrictive security settings.

D-Link is warning users that the EoL devices do not receive firmware updates, security patches, or any maintenance.