Kinetic Potential Blog

An OS command injection vulnerability in discontinued D-Link gateway devices has been exploited in the wild as a zero-day.

Tracked as CVE-2026-0625 (CVSS score of 9.3), the security defect exists because the dnscfg.cgi library does not properly sanitize user-supplied DNS configuration parameters.

The issue allows remote, unauthenticated attackers to inject and execute arbitrary shell commands, achieving remote code execution (RCE), vulnerability intelligence company VulnCheck explains.

“The affected endpoint is also associated with unauthenticated DNS modification (DNSChanger) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019,” VulnCheck says.

The botnet known as Kimwolf has infected more than 2 million Android devices by tunneling through residential proxy networks, according to findings from Synthient.

"Key actors involved in the Kimwolf botnet are observed monetizing the botnet through app installs, selling residential proxy bandwidth, and selling its DDoS functionality," the company said in an analysis published last week.

Kimwolf was first publicly documented by QiAnXin XLab last month, while documenting its connections to another botnet known as AISURU. Active since at least August 2025, Kimwolf is assessed to be an Android variant of AISURU. There is growing evidence to suggest that the botnet is actually behind a series of record-setting DDoS attacks late last year.

The European Space Agency (ESA) has confirmed that some of its systems have been breached after a hacker offered to sell data allegedly stolen from the organization.

The space agency is conducting a forensic investigation and is working on securing compromised devices.

To date, the probe has shown that servers located outside the ESA corporate network have been compromised.

“Our analysis so far indicates that only a very small number of external servers may have been impacted. These servers support unclassified collaborative engineering activities within the scientific community,” the agency said in a statement posted on X.

“All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available,” it added.