CVE-2026-0625

High PUBLISHED

D-Link DSL/DIR/DNS Authentication Bypass via DNS Configuration Endpoint

D-Link · DSL-2640B, DSL-2740R, DSL-2780B, DSL-526B, DSL-2640T, DSL-500, DSL-500G, DSL-502G, DIR-905L, DIR-600, DIR-608, DIR-610, DIR-611, DIR-615, DNS-320, DNS-325, DNS-345

Not yet in CISA KEV

Exploited in the wild

Recommended Action

Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.

Confidence
High
Exploitation Status
Exploited in the wild
Observed in Sensors
No
Attempts (30d)
Unique Attacker IPs
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
9.3 Critical EPSS 1.0%

At a Glance

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).

CVE Published
Jan 05, 2026
Exploitation Reported
Jun 01, 2026
CVSS
9.3 Critical
EPSS
1.0%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
D-Link
DSL-2640B

0

Affected
D-Link
DSL-2740R

0

Affected
D-Link
DSL-2780B

0

Affected
D-Link
DSL-526B

0

Affected
D-Link
DSL-2640T

0

Affected
D-Link
DSL-500

0

Affected
D-Link
DSL-500G

0

Affected
D-Link
DSL-502G

0

Affected
D-Link
DIR-905L

0

Affected
D-Link
DIR-600

0

Affected
D-Link
DIR-608

0

Affected
D-Link
DIR-610

0

Affected
D-Link
DIR-611

0

Affected
D-Link
DIR-615

0

Affected
D-Link
DNS-320

0

Affected
D-Link
DNS-325

0

Affected
D-Link
DNS-345

0

Affected

CVE References

Recommended Actions

  • Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.