CVE 9.3 CRITICAL

D-Link DSL Command Injection via DNS Configuration Endpoint_CVE-2026-0625

January 5, 2026 invoker category_cve
9.3 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (β€œDNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.

AI Analysis

Command injection vulnerability in D-Link DSL gateway devices via the dnscfg.cgi endpoint, allowing remote code execution

Basic Information

ID CVE-2026-0625
Source VulnCheck
Published Jan 5, 2026 at 21:14

Affected Product

Vendor D-Link
Product DSL-2640B
Affected Versions D-Link DSL-2640B 0
D-Link DSL-2740R 0
D-Link DSL-2780B 0
D-Link DSL-526B 0

CWE Classification

CWE-78

AI Assessment

AI Score 9.3 / 10
AI Severity Critical
Vendor D-Link
Product DSL gateway devices (DSL-2640B, DSL-2740R, DSL-2780B, DSL-526B)

References

πŸ’­ Join the Security Discussion

πŸ”’ Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.