- CVE-2026-0625, a critical command injection flaw (9.3/10), is being actively exploited in legacy D-Link gateway routers
- Vulnerable models include DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, with attacks observed since November 2025
- Researchers urge replacing unsupported devices, as compromised routers can enable RCE, credential theft, ransomware, and botnet activity
D-Link has confirmed that some of its gateway routers, which reached end-of-life (EoL) status years ago, are being exploited in the wild.
Earlier this week, security researchers from VulnCheck announced finding a command injection vulnerability due to improper sanitization of user-supplied DNS configuration parameters. The bug is tracked as CVE-2026-0625 and has a severity score of 9.3/10 (critical).
It allows unauthenticated threat actors to inject and execute arbitrary shell commands remotely, which opens the doors for a myriad of different attack types.
Replacing outdated gear
"The affected endpoint is also associated with unauthenticated DNS modification ('DNSChanger') behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019,” VulnCheck said in its advisory.
It also said that the ShadowServer foundation found evidence of attacks dating back to November 27, 2025.
Responding to the findings, D-Link said it was looking into the matter and added that it is difficult to determine all of the models affected, given how firmware is implemented across product generations. It said it would release a full list of affected models soon.
"Current analysis shows no reliable model number detection method beyond direct firmware inspection," D-Link said. "For this reason, D-Link is validating firmware builds across legacy and supported platforms as part of the investigation."
Currently, there is no information about the attackers, or about potential victims. Security researchers are urging users to replace unsupported devices with newer models, to keep them updated with the latest patches, and to defend their premises with firewalls, passwords, and multi-factor authentication (MFA) wherever possible.
In an SMB environment, a gateway router vulnerable to RCE lets attackers take full control of the network’s entry point. They can intercept and redirect traffic, steal credentials, deploy malware, and spy on internal communications. From the router, threat actors can move into internal systems, scan for vulnerable servers or endpoints, launch ransomware, or create a persistent backdoor.
Such routers are also sometimes used as botnet nodes, proxies, and C2 infrastructure.
Via The Hacker News
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.