Legacy D-Link DSL gateway routers have a recently identified critical security flaw that is being actively exploited in the wild. Command injection in the "dnscfg.cgi" endpoint is the subject of the vulnerability, which is tracked as CVE-2026-0625 (CVSS score: 9.3). As of early 2020, some of the affected devices had reached end-of-life (EoL) status.

It's crucial for device owners to retire their phased-out DSL gateway products and switch to actively supported devices that get frequent firmware and security updates because the vulnerability affects those products. "Once changed, DNS entries have the ability to covertly reroute, intercept, or block downstream traffic, creating a long-lasting compromise that impacts all devices behind the router, according to Field Effect.

According to the cybersecurity company, it is currently unknown who the threat actors are using the vulnerability and how big of an effort they are making. It is attempting to determine how the CGI library has been used historically and currently in all of its product offerings. After a firmware-level review is finished, an updated list of particular models is anticipated to be released later this week.

"Current analysis shows no reliable model number detection method beyond direct firmware inspection," D-link stated. "D-Link is validating firmware builds across legacy and supported platforms as part of the investigation because of this."