CVE-2026-0625: Critical Vulnerability in D-Link DSL/DIR/DNS Devices

CVE-2026-0625 is classified as a critical vulnerability with a CVSS score of 9.3, indicating significant risk to affected systems. This vulnerability allows an unauthenticated attacker to exploit an authentication bypass and improper access control in the dnscfg.cgi endpoint of multiple D-Link DSL, DIR, and DNS devices. By directly requesting this endpoint, attackers can modify DNS settings without valid credentials, effectively enabling DNS hijacking, or 'DNSChanger' attacks. The implications of such an attack are substantial, as attackers can redirect user traffic to malicious infrastructure.

The severity of this vulnerability is underscored by its potential to affect numerous users and systems, especially considering that the impacted products have been designated end-of-life and no longer receive security updates. The risk to organizations includes exposure to unauthorized changes in DNS settings, leading to significant security incidents and data breaches.

Exploitation evidence was observed by the Shadowserver Foundation on November 27, 2025. Given the critical nature of this vulnerability, organizations using affected D-Link devices should prioritize remediation efforts immediately, as the vulnerability leverages known attack vectors that have been identified and exploited in the past.

Organizations should assess their exposure to this vulnerability and take necessary actions, such as implementing network controls and monitoring for any unauthorized changes to DNS settings, to mitigate potential impacts.

Vulnerability Details

The vulnerability in question is characterized by an authentication bypass and improper access control in the dnscfg.cgi endpoint, which allows unauthorized access to DNS configuration functionality. This is a critical issue because it enables attackers to manipulate DNS settings without needing to authenticate, thus facilitating DNS hijacking attacks.

The vulnerability was published on January 5, 2026, and is classified under CWE-306, indicating that it relates to improper restrictions on the basis of authentication. The CVSS score of 9.3 reflects the severe impact on confidentiality, integrity, and availability.

Technical Analysis

The root cause of CVE-2026-0625 lies in the design of the dnscfg.cgi endpoint, which fails to enforce proper authentication mechanisms. The attack vector is through the network, and the attack complexity is low, requiring no privileges or user interaction to exploit.

Given the high severity of the vulnerability, it results in high impacts on confidentiality, integrity, and availability, making it a critical risk for organizations using affected devices. The vulnerability's exploitation could lead to unauthorized settings modification and redirection of user traffic to malicious sites.

Risk & Impact Analysis

The real-world deployment risk associated with CVE-2026-0625 is significant, particularly for organizations that utilize D-Link DSL, DIR, or DNS devices. Given that these devices have reached end-of-life status, they do not receive security updates, thus leaving organizations vulnerable to exploitation. The potential for DNS hijacking can lead to a wide blast radius, affecting not only the organization but also its clients and users.

Organizations should assess their exposure based on the criticality of the vulnerability and prioritize patching or replacing affected devices. The urgency for remediation is underscored by the observed exploitation evidence and the potential for significant financial and reputational damage.

Affected Versions

As of now, specific versions of D-Link DSL, DIR, and DNS devices are affected; however, all impacted products have been designated end-of-life. Organizations should confirm the exact device models in use and their status concerning security updates.

Mitigation & Remediation

Organizations should prioritize patching immediately. Given the end-of-life status of affected devices, consider replacing them with newer models that receive regular security updates. For those unable to replace devices, implementing strict network controls to limit access to the dnscfg.cgi endpoint may provide a temporary mitigation strategy.

Regular monitoring of DNS settings and alerts for unauthorized changes can help organizations detect potential exploitation attempts and respond swiftly. Ensuring proper security configurations and user access controls is essential for protecting network integrity.

Detection Guidance

Organizations should monitor logs for unusual access patterns to the dnscfg.cgi endpoint. Additionally, behavioral anomalies in DNS settings should be flagged for investigation. Any unauthorized changes to DNS configurations should be treated as a potential security incident.

AppSecure Threat Intelligence Insight

CVE-2026-0625 exemplifies the risks associated with using end-of-life technology. The lack of ongoing support for these devices leaves organizations vulnerable to exploitation. Security teams should take this incident as a lesson on the importance of maintaining an updated inventory of all network devices, ensuring they are supported and secure.

Organizations may also benefit from engaging in proactive security measures such as regular penetration testing to identify vulnerabilities before they can be exploited. For further guidance, organizations can refer to our comprehensive penetration testing services.

By staying informed about emerging threats and vulnerabilities, organizations can fortify their defenses against potential attacks and safeguard their infrastructure.