Cybersecurity News Kinetic Potential

Hackers Exploit Zero-Day in Discontinued D-Link Devices

Wed, 01/07/2026 - 09:29 / 0 Comments

An OS command injection vulnerability in discontinued D-Link gateway devices has been exploited in the wild as a zero-day.

Tracked as CVE-2026-0625 (CVSS score of 9.3), the security defect exists because the dnscfg.cgi library does not properly sanitize user-supplied DNS configuration parameters.

The issue allows remote, unauthenticated attackers to inject and execute arbitrary shell commands, achieving remote code execution (RCE), vulnerability intelligence company VulnCheck explains.

“The affected endpoint is also associated with unauthenticated DNS modification (DNSChanger) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019,” VulnCheck says.

Based on data from The Shadowserver Foundation, CVE-2026-0625 has been exploited in the wild since late November 2025, the vulnerability intelligence firm notes.

According to D-Link, the exploited zero-day impacts multiple device models. However, variations in firmware implementations make it difficult to compile a list of vulnerable appliances.

“D-Link continues a detailed firmware-level review to determine affected devices. An updated list of specific models and, where applicable, firmware versions under review will be published later this week,” the vendor notes in an advisory.

The confirmed vulnerable models, D-Link says, are legacy DSL gateway appliances that were discontinued half a decade ago.

“All confirmed findings to date point to legacy DSL gateway products that reached End of Life or End of Support more than five years ago. These products no longer receive firmware updates, security patches, or active engineering maintenance,” the company explains.

No patch will be released for the zero-day and the owners of the vulnerable D-Link products should retire them and replace them with supported models, the company says.

There does not appear to be any information on the attacks exploiting CVE-2026-0625, but compromised D-Link networking devices can be abused by threat actors for various purposes, including DDoS attacks, proxy services, traffic interception and redirection, and lateral movement.

This article was published by Security Week. Please check their website for the original content.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
1 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts