An OS command injection vulnerability in discontinued D-Hyperlink gateway gadgets has been exploited within the wild as a zero-day.
Tracked as CVE-2026-0625 (CVSS rating of 9.3), the safety defect exists as a result of the dnscfg.cgi library doesn’t correctly sanitize user-supplied DNS configuration parameters.
The problem permits distant, unauthenticated attackers to inject and execute arbitrary shell instructions, reaching distant code execution (RCE), vulnerability intelligence firm VulnCheck explains.
“The affected endpoint can be related to unauthenticated DNS modification (DNSChanger) conduct documented by D-Hyperlink, which reported lively exploitation campaigns focusing on firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B fashions from 2016 via 2019,” VulnCheck says.
Based mostly on information from The Shadowserver Basis, CVE-2026-0625 has been exploited within the wild since late November 2025, the vulnerability intelligence agency notes.
In line with D-Hyperlink, the exploited zero-day impacts a number of gadget fashions. Nevertheless, variations in firmware implementations make it tough to compile a listing of weak home equipment.Commercial. Scroll to proceed studying.
“D-Hyperlink continues an in depth firmware-level assessment to find out affected gadgets. An up to date listing of particular fashions and, the place relevant, firmware variations underneath assessment will likely be printed later this week,” the seller notes in an advisory.
The confirmed weak fashions, D-Hyperlink says, are legacy DSL gateway home equipment that have been discontinued half a decade in the past.
“All confirmed findings to this point level to legacy DSL gateway merchandise that reached Finish of Life or Finish of Help greater than 5 years in the past. These merchandise now not obtain firmware updates, safety patches, or lively engineering upkeep,” the corporate explains.
No patch will likely be launched for the zero-day and the homeowners of the weak D-Hyperlink merchandise ought to retire them and change them with supported fashions, the corporate says.
There doesn’t look like any data on the assaults exploiting CVE-2026-0625, however compromised D-Hyperlink networking gadgets may be abused by menace actors for numerous functions, together with DDoS assaults, proxy companies, site visitors interception and redirection, and lateral motion.
Associated: D-Hyperlink Warns of RCE Vulnerability in Legacy Routers
Associated: Organizations Warned of Vulnerability Exploited In opposition to Discontinued TP-Hyperlink Routers
Associated: Vital Situation: Legacy Medical Gadgets Stay Straightforward Targets for Ransomware
Associated: Unpatched Flaw in Legacy D-Hyperlink NAS Gadgets Exploited Days After Disclosure
