D-Link Router Vulnerability Under Active Attack, No Patch Available for EOL Devices
Attackers are actively exploiting CVE-2026-0625 (CVSS 9.3) in legacy D-Link DSL routers that reached end-of-life in 2020, with no patches forthcoming.
Security researchers have confirmed active exploitation of a critical command injection vulnerability in legacy D-Link DSL routers. Tracked as CVE-2026-0625 with a CVSS score of 9.3, the flaw allows unauthenticated remote attackers to execute arbitrary commands on affected devices.
Vulnerability Details
CVE-2026-0625 affects the "dnscfg.cgi" endpoint in vulnerable D-Link DSL router firmware. The vulnerability exists due to improper sanitization of user-supplied DNS configuration parameters:
- CVE ID: CVE-2026-0625
- CVSS Score: 9.3 (Critical)
- Attack Vector: Network (remote, no authentication required)
- Impact: Complete device compromise via remote code execution
Active Exploitation
The Shadowserver Foundation first recorded exploitation attempts targeting CVE-2026-0625 on November 27, 2025. Since then, attack volume has increased significantly as exploit code has spread through underground forums.
Attackers are using the vulnerability to:
- Install botnet malware for DDoS attacks
- Deploy cryptocurrency miners
- Establish persistent backdoor access
- Pivot to attack internal network resources
End-of-Life Devices
The affected D-Link DSL router models reached end-of-life (EOL) status in early 2020. D-Link has confirmed it will not release security patches for these devices, leaving users with limited options:
- Replace the device: The only fully effective mitigation
- Disable remote management: Reduces attack surface but may not prevent all exploitation
- Network segmentation: Isolate affected devices from critical resources
- Firewall rules: Block external access to the router's web interface
Affected Models
While D-Link has not published a complete list, security researchers have confirmed the vulnerability affects multiple DSL-series models sold between 2015 and 2019. Users should check D-Link's support site for specific model information.
Broader Implications
This incident highlights the ongoing challenge of EOL network equipment. Many home and small business routers continue operating years after vendor support ends, creating persistent security risks. Security experts recommend establishing device replacement schedules that align with vendor support lifecycles.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.