CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

D-Link DIR-878 routers affected by multiple RCE vulnerabilities

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

D-Link has disclosed four vulnerabilities in its end-of-life DIR-878 router, including three remotely exploitable command execution flaws. The vulnerabilities affect all models and hardware revisions of the router, which is still available for purchase. D-Link has warned that it will not release security updates for this model and recommends replacing it with an actively supported product. Additionally, a newly discovered critical security flaw, CVE-2026-0625, in legacy D-Link DSL gateway routers has come under active exploitation. This flaw allows unauthenticated remote attackers to execute arbitrary shell commands via the "dnscfg.cgi" endpoint. Affected models include DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B from 2016 through 2019. D-Link is investigating the use of the "dnscfg.cgi" CGI library across its product offerings and expects to publish an updated list of affected models.

Timeline

  1. 07.01.2026 06:31 1 articles · 23h ago

    Active exploitation of CVE-2026-0625 in legacy D-Link DSL routers

    A newly discovered critical command injection flaw, CVE-2026-0625, in legacy D-Link DSL gateway routers has come under active exploitation. This flaw allows unauthenticated remote attackers to execute arbitrary shell commands via the "dnscfg.cgi" endpoint. Affected models include DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B from 2016 through 2019. D-Link is investigating the use of the "dnscfg.cgi" CGI library across its product offerings and expects to publish an updated list of affected models.

    Show sources
    Open in new tab
  2. 20.11.2025 17:38 2 articles · 1mo ago

    D-Link discloses RCE vulnerabilities in end-of-life DIR-878 routers

    D-Link has disclosed four vulnerabilities in its end-of-life DIR-878 router, including three remotely exploitable command execution flaws. The vulnerabilities affect all models and hardware revisions of the router, which is still available for purchase. Proof-of-concept exploit code has been published by a researcher, increasing the risk of exploitation by threat actors. D-Link has warned that it will not release security updates for this model and recommends replacing it with an actively supported product.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Authentication Bypass Flaws in ASUS DSL and AiCloud Routers

ASUS has released firmware updates to patch multiple critical authentication bypass vulnerabilities, including CVE-2025-59367 and CVE-2025-59366, affecting various DSL and AiCloud-enabled routers. The flaws allow remote, unauthenticated attackers to gain unauthorized access to unpatched devices exposed online. Affected models include DSL-AC51, DSL-N16, DSL-AC750, and other AiCloud-enabled routers. Users are advised to update to the latest firmware version and implement additional security measures to mitigate potential attacks.

Open in new tab

Critical Command Injection Vulnerability in Western Digital My Cloud NAS Devices

Western Digital has released firmware updates to address a critical-severity OS command injection vulnerability (CVE-2025-30247) affecting multiple My Cloud NAS models. The flaw allows remote attackers to execute arbitrary system commands through specially crafted HTTP POST requests. The vulnerability impacts several models, including My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror Gen 2, DL2100, EX2100, DL4100, and WDBCTLxxxxxx-10. Users are advised to update to firmware version 5.31.108 to mitigate the risk. Two models, My Cloud DL4100 and DL2100, have reached end of support and may not receive updates.

Open in new tab

TP-Link Router Vulnerabilities Actively Exploited in the Wild

Two security flaws in TP-Link routers are being actively exploited. The vulnerabilities affect multiple router models, including the TL-WR841N and Archer C7. The flaws allow for authentication bypass and remote code execution, respectively. Affected models have reached end-of-life status, and users are advised to upgrade to newer hardware. The exploits are linked to the Quad7 botnet and a China-linked threat actor, Storm-0940. Federal agencies must apply mitigations by September 24, 2025. The vulnerabilities are CVE-2023-50224 and CVE-2025-9377. TP-Link has released firmware updates to address these issues. The affected routers have reached end-of-service status, and users are advised to upgrade to newer hardware for enhanced protection.

Open in new tab

Exploitation of Consumer Devices in Hybrid Work Environments

Consumer devices, such as D-Link cameras and video recorders, are increasingly being exploited to compromise enterprise systems. The hybrid work model has expanded the attack surface, as home networks—often built on outdated, insecure devices—serve as an extension of the corporate environment. These devices, which lack proper patching and support, are becoming fertile ground for threat actors aiming to infiltrate enterprise systems from the outside in. The risks stem from the lax security culture around consumer devices, which often remain unpatched and unsupported. Compromised home devices can intercept traffic, change DNS settings, or serve as footholds to access other systems, creating attack vectors that can be exploited to move laterally into business-critical resources. This issue is exacerbated by the fact that enterprise security teams have no control over the personal networks of remote workers, making it difficult to enforce security measures and monitor potential threats.

Open in new tab

Image I/O Framework Zero-Day Exploited in Targeted Attacks

The zero-day vulnerability CVE-2025-43300 in Apple's Image I/O framework was exploited in targeted attacks against specific individuals. The flaw, an out-of-bounds write issue, was used in combination with a WhatsApp zero-day flaw (CVE-2025-55177) in sophisticated attacks potentially involving nation-state actors or spyware activity. The vulnerability affects multiple iOS, iPadOS, and macOS versions, as well as various iPhone, iPad, and Mac models. Apple has backported fixes for CVE-2025-43300 to older versions, including iOS 16.7.12, iPadOS 16.7.12, iOS 15.8.5, and iPadOS 15.8.5. Users are advised to update promptly to mitigate potential ongoing attacks. The flaw was discovered by Apple security researchers and impacts both older and newer devices. This is the seventh zero-day exploited in the wild since the start of the year. The flaw was addressed with improved bounds checking. Apple has patched a total of seven zero-day vulnerabilities exploited in the wild since the start of the year. The vulnerability was exploited in targeted attacks against specific individuals. Affected devices include iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPhone 8, iPhone 8 Plus, iPhone X, iPad Air 2, iPad mini (4th generation), iPad 5th generation, iPad Pro 9.7-inch, iPad Pro 12.9-inch 1st generation, iPod touch (7th generation), and Macs running macOS Sequoia, Sonoma, and Ventura. WhatsApp has also addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with the Apple flaw in targeted zero-day attacks. The WhatsApp vulnerability, CVE-2025-55177, is an insufficient authorization flaw in linked device synchronization messages. The flaw affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78. WhatsApp notified less than 200 users that they were targeted in an advanced spyware campaign over the last 90 days.

Open in new tab