Menace actors are exploiting a just lately found command injection vulnerability that impacts a number of D-Hyperlink DSL gateway routers that went out of assist years in the past.
The vulnerability is now tracked as CVE-2026-0625 and impacts the dnscfg.cgi endpoint as a consequence of improper enter sanitization in a CGI library. An unauthenticated attacker might leverage this to execute distant instructions through DNS configuration parameters.
Vulnerability intelligence firm VulnCheck reported the issue to D-Hyperlink on December 15, after The Shadowserver Basis noticed a command injection exploitation try on one in all its honeypots.
VulnCheck instructed BleepingComputer that the approach captured by Shadowserver doesn’t seem to have been publicly documented.
“An unauthenticated distant attacker can inject and execute arbitrary shell instructions, leading to distant code execution,” VulnCheck says within the safety advisory.
In collaboration with VulnCheck, D-Hyperlink confirmed the next machine fashions and firmware variations to be affected by CVE-2026-0625:
- DSL-526B ≤ 2.01
- DSL-2640B ≤ 1.07
- DSL-2740R < 1.17
- DSL-2780B ≤ 1.01.14
The above have reached end-of-life (EoL) since 2020 and won’t obtain firmware updates to handle CVE-2026-0625. Therefore, the seller strongly recommends retiring and changing the affected units with supported fashions.
D-Hyperlink continues to be attempting to find out if every other merchandise are impacted by analyzing numerous firmware releases.
“Each D-Hyperlink and VulnCheck face complexity in exactly figuring out all impacted fashions as a consequence of variations in firmware implementations and product generations,” D-Hyperlink explains.
“Present evaluation reveals no dependable mannequin quantity detection technique past direct firmware inspection. Because of this, D-Hyperlink is validating firmware builds throughout legacy and supported platforms as a part of the investigation,” says the seller.
At present, it’s unclear who’s exploiting the vulnerability and towards what targets. Nonetheless, VulnCheck says that almost all shopper router setups enable solely LAN entry to administrative Frequent Gateway Interface (CGI) endpoints reminiscent of dnscfg.cgi.
Exploiting CVE-2026-0625 would suggest a browser-based assault or a goal machine configured for distant administration.
Customers of end-of-life (EoL) routers and networking units ought to change them with fashions which might be actively supported by the seller or deploy them in non-critical networks, ideally segmented, utilizing the most recent out there firmware model and restrictive safety settings.
D-Hyperlink is warning customers that the EoL units don’t obtain firmware updates, safety patches, or any upkeep.
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, determine rising traits, and examine their priorities as they head into 2026.
Find out how prime leaders are turning funding into measurable affect.
