Detections
Analytics

CVE-2026-0625

critical

Description

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).

References

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118

https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068

https://www.securityweek.com/hackers-exploit-zero-day-in-discontinued-d-link-devices/

https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html

https://securityaffairs.com/186616/hacking/hackers-actively-exploit-critical-rce-flaw-in-legacy-d-link-dsl-routers.html

https://www.bleepingcomputer.com/news/security/new-d-link-flaw-in-legacy-dsl-routers-actively-exploited-in-attacks/

https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint

Details

Source: Mitre, NVD

Published: 2026-01-05

Updated: 2026-04-15

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: Critical

EPSS

EPSS: 0.01348