CVE-2026-0625

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).

CVSS

No CVSS.

References

Link	Resource
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118
https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint

Configurations

No configuration.

History

08 Jan 2026, 16:16

Type	Values Removed	Values Added
CWE	~~CWE-78~~	CWE-306
References		() https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118 -
Summary	(en) Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.	(en) Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).

07 Jan 2026, 17:16

Type	Values Removed	Values Added
References		() https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488 -

05 Jan 2026, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-05 22:15

Updated : 2026-01-08 18:09

NVD link : CVE-2026-0625

Mitre link : CVE-2026-0625

CVE.ORG link : CVE-2026-0625

JSON object : View

Products Affected

No product.

CWE

CWE-306

Missing Authentication for Critical Function

JSON object

Attach tags to CVE-2026-0625

Attach tags to `CVE-2026-0625`