Back to KEVs

CVE-2026-0625

D-Link DSL/DIR/DNS Authentication Bypass via DNS Configuration Endpoint

Basic Information

CVE State
PUBLISHED
Reserved Date
January 05, 2026
Published Date
January 05, 2026
Last Updated
May 25, 2026
Vendor
D-Link
Product
DSL-2640B, DSL-2740R, DSL-2780B, DSL-526B, DSL-2640T, DSL-500, DSL-500G, DSL-502G, DIR-905L, DIR-600, DIR-608, DIR-610, DIR-611, DIR-615, DNS-320, DNS-325, DNS-345
Description
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

SSVC Information

Exploitation
none
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:47:42 UTC) Source

References

https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068 https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118 https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:47:41 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel