The Ghost in the Router: Hackers Exploit Unpatchable D-Link Zero-Day in 2026

It appears that antiquated D-Link hardware remains operational in various environments, a persistence that adversaries are now endeavoring to transform into a potent attack vector. Network monitors have detected active exploitation of a recently unearthed vulnerability, which permits unauthenticated remote code execution on several D-Link DSL gateway models that reached their end-of-life status years ago.

The flaw, designated as CVE-2026-0625 with a critical CVSS score of 9.3, resides within the dnscfg.cgi handler of the web interface, which manages DNS configurations. Due to insufficient sanitization of input data, a remote actor can inject arbitrary system commands via DNS configuration parameters, thereby achieving full remote code execution without the need for credentials.

VulnCheck alerted D-Link to the issue on December 15, while preliminary indicators of exploitation were captured by The Shadowserver Foundation via their global honeypot network. According to VulnCheck, the specific methodology observed on these sensors had not been previously documented in public disclosures.

D-Link has formally acknowledged the vulnerability, identifying several impacted devices and firmware iterations. The list includes the DSL-526B (up to v2.01), DSL-2640B (up to v1.07), DSL-2740R (below v1.17), and DSL-2780B (up to v1.01.14). As all these models have carried an “End of Life” status since 2020, no security patches will be forthcoming. Consequently, the vendor explicitly recommends that these devices be decommissioned and replaced with modern, supported hardware.

Furthermore, D-Link noted that the sheer heterogeneity of legacy firmware and hardware generations makes it challenging to definitively identify every susceptible model. The company is currently auditing various firmware builds across both legacy and contemporary platforms to ascertain if the vulnerability extends to other products.

While the identity and objectives of the attackers remain shrouded in mystery, VulnCheck highlights a significant practical constraint: in most residential configurations, access to administrative CGI endpoints like dnscfg.cgi is restricted to the local area network. Therefore, successful exploitation typically necessitates that remote management be enabled or that the attack be executed via the victim’s browser. Ultimately, this underscores a classic security paradox: legacy routers often remain in service for years, their configurations long forgotten and their vulnerabilities left unpatched in perpetuity.