1. Home
  2. Vulnerabilities
  3. CVE-2026-0625
9.3
CRITICAL CVSS 4.0
CVE-2026-0625
D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint
Description

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).

INFO

Published Date :

Jan. 5, 2026, 10:15 p.m.

Last Modified :

Jan. 8, 2026, 6:09 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Affected Products

The following products are affected by CVE-2026-0625 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Dlink dir-615_firmware
2 Dlink dir-600_firmware
3 Dlink dns-320_firmware
4 Dlink dns-325_firmware
5 Dlink dns-345_firmware
: Total Affected Vendor : 1 | Products : 5
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 4.0 CRITICAL 83251b91-4cc7-4094-a5c7-464a1b83ea10
CVSS 4.0 CRITICAL [email protected]
CVSS 4.0 CRITICAL [email protected]
Solution
Update device firmware and disable remote administration to prevent command injection.
  • Update device firmware to the latest available version.
  • Disable remote administration features if not needed.
  • Restrict access to administrative interfaces.
  • Replace end-of-life devices.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-0625.

URL Resource
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-0625 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-0625 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-0625 vulnerability anywhere in the article.

  • Daily CyberSecurity
Exploited in the Wild: Critical Modular DS Flaw CVE-2026-23550 (CVSS 10) Allows Instant Admin Takeover

A critical privilege escalation vulnerability, tracked as CVE-2026-23550 (CVSS 10), has been discovered in the Modular DS WordPress plugin, actively exposing over 40,000 websites to unauthorized admin ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
The Orbital Lifeline: Starlink Battles Military-Grade Jamming in Iran

In response to internal domestic upheavals, Iran has effectively severed all connections to the global internet. Observational telemetry indicates that while a negligible minority of government agenci ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
CVE-2025-33206: High-Severity Flaw Patched in NVIDIA Nsight Graphics for Linux

NVIDIA has released a critical software update for its Nsight Graphics tool on Linux, patching a high-severity vulnerability that could allow attackers to execute arbitrary code or tamper with sensiti ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
HPE Aruba Patches High-Severity DoS and Data Leak Flaws in Instant On Devices

HPE Networking has released a critical software patch for its popular Instant On series of access points and routers, addressing a trio of high-severity vulnerabilities that could allow attackers to c ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Zoho Patches Critical “9.1” Flaw in ADSelfService Plus

ManageEngine has issued a critical security alert for ADSelfService Plus, its widely used self-service password management and single sign-on solution. The vendor has patched a high-severity vulnerabi ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
One API Call to Hijack: Critical Cal.com Flaw (CVE-2026-23478, CVSS 10) Bypasses 2FA

A critical security vulnerability has been found in Cal.com, the popular open-source scheduling platform used by individuals and enterprises worldwide. Tracked as CVE-2026-23478, the flaw carries the ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
High-Severity Flaws in HPE Aruba Networking Expose Mobility Controllers to Attack

HPE Aruba Networking has released a critical security advisory patching a swarm of vulnerabilities across its AOS-8 and AOS-10 operating systems. The flaws, which affect Mobility Conductors, Controlle ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Command Injection Alert: High-Severity Flaws Hit LoadMaster & MOVEit WAF

Progress Software Corporation has kicked off the 2026 security calendar with an important update for its network infrastructure products. On January 12, 2026, the vendor released patches addressing tw ... Read more

Published Date: Jan 15, 2026 (2 weeks ago)
  • Daily CyberSecurity
Critical SAP Alert: S/4HANA SQL Injection & Wily RCE Threaten Financial Data

SAP administrators are facing a busy start to the year. On January 13, 2026, the enterprise software giant released 17 new security notes, addressing a raft of vulnerabilities that could expose critic ... Read more

Published Date: Jan 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
Fortinet Critical Alert: CVE-2025-64155 RCE & Config Leaks Exposed

Fortinet has issued a sweeping set of security advisories, patching critical vulnerabilities across its product ecosystem that could allow attackers to execute arbitrary code, delete files, or hijack ... Read more

Published Date: Jan 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
Critical OpenCode Flaws Let Websites Hijack Your PC

Two vulnerabilities were found in the open-source OpenCode agent that let attackers write malicious code directly onto your machine. Security researchers have disclosed two high-severity flaws that tu ... Read more

Published Date: Jan 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
Patch Tuesday Jan 2026: Microsoft Fixes 114 Flaws & 3 Zero-Days

Microsoft has kicked off 2026 with a massive security update, addressing a total of 114 vulnerabilities in its January Patch Tuesday release. The update includes eight critical flaws and 106 important ... Read more

Published Date: Jan 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
Critical Appsmith Flaw CVE-2026-22794 Allows Account Takeover

A critical vulnerability has been discovered in Appsmith, the popular open-source platform used by organizations to build internal dashboards and admin panels. Tracked as CVE-2026-22794, the flaw carr ... Read more

Published Date: Jan 14, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
CVE-2026-22718: EOL Spring CLI Tool for VS Code Found Vulnerable to Command Injection

Developers using the Spring CLI extension for Visual Studio Code are being urged to clean up their environments immediately. A new vulnerability, tracked as CVE-2026-22718, has been discovered in the ... Read more

Published Date: Jan 13, 2026 (2 weeks, 1 day ago)
  • Daily CyberSecurity
AI Identity Theft: Critical ServiceNow Flaw (CVE-2025-12420) Allows Unauthenticated Impersonation

A critical vulnerability has been uncovered in the ServiceNow AI Platform, potentially allowing unauthenticated attackers to masquerade as legitimate users. With a severity score of 9.3 out of 10, the ... Read more

Published Date: Jan 13, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
CISA “Must-Patch” Alert: Critical Gogs Exploit CVE-2025-8110 Active in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has added a dangerous new entry to its “Must-Patch” list, warning that a popular tool used by developers worldwide is actively being exploit ... Read more

Published Date: Jan 13, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
Angular Security Alert: High-Severity SVG Flaw CVE-2026-22610 Exposes Apps to XSS

A seemingly harmless feature in Scalable Vector Graphics (SVG) has become a major security headache for Angular developers. A new high-severity vulnerability, tracked as CVE-2026-22610, has been disco ... Read more

Published Date: Jan 13, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
Double Critical: Hardcoded Secrets Expose Ruckus IoT Controllers to Root RCE

A pair of critical security vulnerabilities has been disclosed in the Ruckus vRIoT IoT Controller, the central brain for managing enterprise IoT devices. Both flaws carry the maximum possible CVSS sco ... Read more

Published Date: Jan 13, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
CVE-2025-52694 (CVSS 10): Critical Advantech SQL Injection Exposes IoT Devices

The Cyber Security Agency of Singapore (CSA) has issued a high-priority alert regarding a devastating vulnerability in Advantech’s IoT product line. The flaw, tracked as CVE-2025-52694, carries the ma ... Read more

Published Date: Jan 13, 2026 (2 weeks, 2 days ago)
  • Daily CyberSecurity
Critical Alert: Moxa Switches Exposed to OpenSSH Remote Code Execution (CVSS 9.8)

A critical security vulnerability has been identified in Moxa’s industrial ethernet switches, threatening the integrity of operational technology (OT) networks. The vulnerability, tracked as CVE-2023- ... Read more

Published Date: Jan 13, 2026 (2 weeks, 2 days ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-0625 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    Jan. 08, 2026

    Action Type Old Value New Value
    Changed Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020. Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Removed CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-306
    Removed CWE CWE-78
    Added Reference https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118
  • CVE Modified by [email protected]

    Jan. 07, 2026

    Action Type Old Value New Value
    Added Reference https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
  • New CVE Received by [email protected]

    Jan. 05, 2026

    Action Type Old Value New Value
    Added Tag unsupported-when-assigned
    Added Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-78
    Added Reference https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
    Added Reference https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 9.3
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability