D-Link DSL gateway routers command injection (CVE-2026-0625, actively exploited)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-0625 is an unauthenticated command injection flaw affecting legacy D-Link DSL gateway routers, creating remote code execution risk for exposed management interfaces. The bug sits in dnscfg.cgi, where improper input sanitization allows arbitrary shell commands. Shadowserver observed an exploitation attempt, and D-Link confirmed the affected models are end-of-life since 2020 and will not receive fixes. Operators are being told to retire and replace the devices or isolate them on segmented networks.
Related Happenings
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
FCC bans new foreign-made consumer routers
Public Sector Action
First: 25.03.2026 09:11
Last: 25.03.2026 09:11
Sources 1
About this happening:
The U.S. Federal Communications Commission banned the import of new foreign-made consumer routers after concluding they pose unacceptable cyber and national security risks to U.S....
FCC bans new foreign-made consumer routers
Public Sector ActionAbout this happening: The U.S. Federal Communications Commission banned the import of new foreign-made consumer routers after concluding they pose unacceptable cyber and national security risks to U.S....
Latest development: 26.03.2026 21:48
The FCC's March 23 ban on new foreign-made consumer-grade routers may leave U.S. consumers and small businesses using older devices longer, while businesses replacing network gear could face a more constrained and potentially more expensive market with fewer approved options and longer procurement cycles.
Cisco Catalyst SD-WAN active exploitation wave
Exploitation Wave
First: 05.03.2026 14:15
Last: 05.03.2026 14:15
Sources 1
About this happening:
**Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
Cisco Catalyst SD-WAN active exploitation wave
Exploitation WaveAbout this happening: **Cisco** confirmed **active exploitation** of **two recently patched Catalyst SD-WAN vulnerabilities**, creating immediate risk for exposed systems that have not been fully remed...
React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)
Exploitation Wave
First: 03.02.2026 16:00
Last: 03.02.2026 16:00
Sources 1
About this happening:
Repeated exploitation of **CVE-2025-11953** is hitting exposed **React Native Metro servers**, creating remote command and payload-delivery risk across a large development-systems...
React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)
Exploitation WaveAbout this happening: Repeated exploitation of **CVE-2025-11953** is hitting exposed **React Native Metro servers**, creating remote command and payload-delivery risk across a large development-systems...
Broadcom VMware vCenter Server and Cloud Foundation patch advisory (CVE-2024-37079)
Advisory/Mitigation
First: 26.01.2026 13:49
Last: 26.01.2026 13:49
Sources 1
About this happening:
**Broadcom** told customers to apply security patches for **CVE-2024-37079** in **vCenter Server** and **Cloud Foundation**, after the flaw was tied to **active exploitation** and...
Broadcom VMware vCenter Server and Cloud Foundation patch advisory (CVE-2024-37079)
Advisory/MitigationAbout this happening: **Broadcom** told customers to apply security patches for **CVE-2024-37079** in **vCenter Server** and **Cloud Foundation**, after the flaw was tied to **active exploitation** and...
Timeline
-
08.01.2026 11:13 1 articles · 4mo ago
Cisco patches CVE-2026-20029 in ISE and ISE-PIC
Initial DisclosureCisco patched CVE-2026-20029 in Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) after public proof-of-concept exploit code appeared. The XML parsing flaw in the web-based management interface can let an attacker with valid administrative credentials upload a malicious file and read arbitrary files from the underlying operating system on unpatched devices, including sensitive data.
Show sources
- Cisco warns of Identity Service Engine flaw with exploit code — www.bleepingcomputer.com — 08.01.2026 11:13
-
06.01.2026 21:52 1 articles · 4mo ago
VulnCheck reports D-Link router command injection
Initial DisclosureVulnCheck reported a command injection vulnerability affecting legacy D-Link DSL gateway routers to D-Link on December 15 after The Shadowserver Foundation observed a command injection exploitation attempt on one of its honeypots, indicating the dnscfg.cgi attack surface was already being probed.
Show sources
- New D-Link flaw in legacy DSL routers actively exploited in attacks — www.bleepingcomputer.com — 06.01.2026 21:52
-
06.01.2026 21:52 1 articles · 4mo ago
D-Link confirms affected legacy DSL router models
Technical Analysis UpdateD-Link, working with VulnCheck, confirmed CVE-2026-0625 affects DSL-526B ≤ 2.01, DSL-2640B ≤ 1.07, DSL-2740R < 1.17, and DSL-2780B ≤ 1.01.14, stated that the routers have been end-of-life since 2020, and warned that no firmware updates, security patches, or maintenance will be issued, advising replacement with supported models or deployment only on segmented non-critical networks.
Show sources
- New D-Link flaw in legacy DSL routers actively exploited in attacks — www.bleepingcomputer.com — 06.01.2026 21:52