Description
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).
Published: 2026-01-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential DNS hijacking leading to traffic redirection
Action: Retire Devices
AI Analysis

Impact

A flaw in the dnscfg.cgi endpoint on D‑Link DSL, DIR, and DNS devices permits an unauthenticated user to alter DNS settings without valid credentials. This authentication bypass (CWE‑306) allows the attacker to modify the device’s DNS configuration, redirecting all network traffic to malicious infrastructure. The vulnerability can be leveraged for DNS‑based hijacking, commonly referred to as “DNSChanger.”

Affected Systems

Affected devices include numerous consumer and carrier routers from D‑Link, such as the DIR‑600, DIR‑608, DIR‑610, DIR‑611, DIR‑615, DIR‑905L, DNS‑320, DNS‑325, DNS‑345, DSL‑2640B, DSL‑2640T, DSL‑2740R, DSL‑2780B, DSL‑500, DSL‑500G, DSL‑502G, and DSL‑526B. All of these models have reached end‑of‑life or end‑of‑service status and no longer receive firmware updates.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating a high severity. The EPSS score is less than 1%, indicating low current exploitation probability, but evidence from the Shadowserver Foundation dated 2025‑11‑27 shows real‑world use of the flaw. The attack vector is straightforward: an unauthenticated HTTP request to the dnscfg.cgi interface on the device’s management web server. No credentials or special privileges are required, and the exploit consists solely of sending a crafted request that changes the DNS settings. Based on the description, it is inferred that such a change can redirect traffic to attacker‑controlled servers, facilitating phishing or malware delivery if the user’s traffic is diverted.

Generated by OpenCVE AI on April 18, 2026 at 08:18 UTC.

Remediation

Vendor Solution

D-Link Systems, Inc. recommends retiring these products and replacing them with products that receive firmware updates.

OpenCVE Recommended Actions

  • Replace all affected D‑Link routers and DNS appliances with models that receive regular firmware updates and retire the end‑of‑life hardware.
  • If replacement is not immediately possible, disable remote web management or restrict access to the router’s console to the local network, eliminating exposure from external attackers.
  • Implement network monitoring to detect abnormal DNS configuration changes or traffic routing to suspicious IP addresses, and configure alerts for unauthorized modifications to DNS settings.

Generated by OpenCVE AI on April 18, 2026 at 08:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Dlink
Dlink dsl-2640b Firmware
Dlink dsl-2640t
Dlink dsl-2640t Firmware
Dlink dsl-2740r
Dlink dsl-2740r Firmware
CPEs cpe:2.3:h:dlink:dsl-2640t:-:*:*:*:*:*:*:*
cpe:2.3:h:dlink:dsl-2740r:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dsl-2640b_firmware:eu_4.01b:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dsl-2640t_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:dlink:dsl-2740r_firmware:uk_1.01:*:*:*:*:*:*:*
Vendors & Products Dlink
Dlink dsl-2640b Firmware
Dlink dsl-2640t
Dlink dsl-2640t Firmware
Dlink dsl-2740r
Dlink dsl-2740r Firmware

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Thu, 08 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020. Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).
Title D-Link DSL Command Injection via DNS Configuration Endpoint D-Link DSL/DIR/DNS Command Injection via DNS Configuration Endpoint
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A'}

Wed, 07 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
References

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link dsl-2640b
D-link dsl-2740r
D-link dsl-2780b
D-link dsl-526b
Vendors & Products D-link
D-link dsl-2640b
D-link dsl-2740r
D-link dsl-2780b
D-link dsl-526b

Mon, 05 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
Description Multiple D-Link DSL gateway devices contain a command injection vulnerability in the dnscfg.cgi endpoint due to improper sanitization of user-supplied DNS configuration parameters. An unauthenticated remote attacker can inject and execute arbitrary shell commands, resulting in remote code execution. The affected endpoint is also associated with unauthenticated DNS modification (“DNSChanger”) behavior documented by D-Link, which reported active exploitation campaigns targeting firmware variants of the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B models from 2016 through 2019. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC). Affected devices were declared end-of-life/end-of-service in early 2020.
Title D-Link DSL Command Injection via DNS Configuration Endpoint
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

D-link Dsl-2640b Dsl-2740r Dsl-2780b Dsl-526b
Dlink Dsl-2640b Firmware Dsl-2640t Dsl-2640t Firmware Dsl-2740r Dsl-2740r Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:06.519Z

Reserved: 2026-01-05T20:59:29.705Z

Link: CVE-2026-0625

cve-icon Vulnrichment

Updated: 2026-01-20T17:29:40.527Z

cve-icon NVD

Status : Deferred

Published: 2026-01-05T22:15:54.483

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0625

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:30:35Z

Weaknesses