Menace actors are exploiting a just lately found command injection vulnerability that impacts a number of D-Hyperlink DSL gateway routers that went out of assist years in the past.
The vulnerability is now tracked as CVE-2026-0625 and impacts the dnscfg.cgi endpoint resulting from improper enter sanitization in a CGI library. An unauthenticated attacker might leverage this to execute distant instructions by way of DNS configuration parameters.
Vulnerability intelligence firm VulnCheck reported the issue to D-Hyperlink on December 15, after The Shadowserver Basis noticed a command injection exploitation try on considered one of its honeypots.
VulnCheck informed BleepingComputer that the method captured by Shadowserver doesn’t seem to have been publicly documented.
“An unauthenticated distant attacker can inject and execute arbitrary shell instructions, leading to distant code execution,” VulnCheck says within the security advisory.
In collaboration with VulnCheck, D-Hyperlink confirmed the next machine fashions and firmware variations to be affected by CVE-2026-0625:
- DSL-526B ≤ 2.01
- DSL-2640B ≤ 1.07
- DSL-2740R < 1.17
- DSL-2780B ≤ 1.01.14
The above have reached end-of-life (EoL) since 2020 and won’t obtain firmware updates to handle CVE-2026-0625. Therefore, the seller strongly recommends retiring and changing the affected gadgets with supported fashions.
D-Hyperlink continues to be attempting to find out if another merchandise are impacted by analyzing varied firmware releases.
“Each D-Hyperlink and VulnCheck face complexity in exactly figuring out all impacted fashions resulting from variations in firmware implementations and product generations,” D-Hyperlink explains.
“Present evaluation exhibits no dependable mannequin quantity detection methodology past direct firmware inspection. Because of this, D-Hyperlink is validating firmware builds throughout legacy and supported platforms as a part of the investigation,” says the seller.
At the moment, it’s unclear who’s exploiting the vulnerability and in opposition to what targets. Nonetheless, VulnCheck says that the majority shopper router setups permit solely LAN entry to administrative Frequent Gateway Interface (CGI) endpoints akin to dnscfg.cgi.
Exploiting CVE-2026-0625 would suggest a browser-based assault or a goal machine configured for distant administration.
Customers of end-of-life (EoL) routers and networking gadgets ought to exchange them with fashions which can be actively supported by the seller or deploy them in non-critical networks, ideally segmented, utilizing the newest out there firmware model and restrictive security settings.
D-Hyperlink is warning customers that the EoL gadgets don’t obtain firmware updates, security patches, or any upkeep.
It is funds season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising traits, and evaluate their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable affect.
