January 6, 2026 By Bill Toulas
Threat actors are exploiting a recently discovered command injection vulnerability that affects multiple D-Link DSL gateway routers that went out of support years ago.
The vulnerability is now tracked as CVE-2026-0625 and affects the dnscfg.cgi endpoint due to improper input sanitization in a CGI library. An unauthenticated attacker could leverage this to execute remote commands via DNS configuration parameters.
Vulnerability intelligence company VulnCheck reported the problem to D-Link on December 15, after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots.
VulnCheck told BleepingComputer that the technique captured by Shadowserver does not appear to have been publicly documented.
"An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution," VulnCheck says in the security advisory.