Legacy D-Link routers exploited via unauthenticated DNS hijacking

Threat summary

On January 5, 2026, VulnCheck published an advisory detailing active exploitation of a command-injection vulnerability affecting legacy D‑Link DSL routers. Evidence of exploitation was first observed by the Shadowserver Foundation on November 27, 2025, months before the vulnerability was publicly disclosed.

The affected technology includes legacy consumer and small‑office DSL gateway routers that provide broadband connectivity and DNS configuration through embedded web interfaces.

The flaw, tracked as CVE‑2026‑0625, affects the dnscfg.cgi DNS‑configuration endpoint and enables unauthenticated remote code execution on multiple end-of-life D-Link DSL gateway models.

The issue stems from improper sanitization of DNS configuration parameters, allowing threat actors to inject shell commands via the router’s web interface. CVE‑2026-0625 carries a CVSS v4.0 score of 9.3 and is rated Critical. Exploitation can result in full device compromise, DNS manipulation, and use of the router as a foothold for broader network intrusion.

The affected endpoint has historical ties to DNSChanger‑style attacks documented by D-Link between 2016 and 2019. The impacted devices were declared end of life in early 2020 and, as a result, no patches are available or planned.

Insights & mitigations

CVE-2026-0625 exposes the same DNS configuration mechanism leveraged in past large-scale DNS hijacking campaigns. The vulnerability enables unauthenticated remote code execution via the dnscfg.cgi endpoint, giving attackers direct control over DNS settings without credentials or user interaction.

Once altered, DNS entries can silently redirect, intercept, or block downstream traffic, resulting in a persistent compromise affecting every device behind the router. Because the impacted D-Link DSL models are end of life and unpatchable, organizations that continue to operate them face elevated operational risk.

Replacing affected devices with supported hardware is recommended. Organizations can reduce exposure by removing these devices from internet‑reachable positions, segmenting them from critical assets, and monitoring for unauthorized DNS configuration changes.

Additional defensive measures include restricting access to router management interfaces through upstream firewalls, monitoring for indicators of compromise such as unexpected DNS server entries, and validating that no unauthorized commands are executed through router web interfaces.

Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment.

Field Effect MDR detects unauthorized DNS changes by monitoring outbound DNS traffic for unexpected resolvers, sudden shifts in DNS query patterns, or resolution paths that deviate from the organization’s baseline. Continuous monitoring of endpoint behavior allows Field Effect MDR to detect post‑exploitation activity such as credential harvesting, browser redirections, or attempts to deploy malware after DNS hijacking.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up