CVE-2026-0625
📋 TL;DR
This CVE describes an authentication bypass vulnerability in D-Link DSL/DIR/DNS devices that allows unauthenticated attackers to modify DNS settings via the dnscfg.cgi endpoint. This enables DNS hijacking attacks that redirect user traffic to malicious infrastructure. All affected devices are end-of-life and no longer receive security updates.
💻 Affected Systems
- D-Link DSL/DIR/DNS series routers
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete DNS hijacking leading to credential theft, malware distribution, and full traffic interception for all users behind the compromised router.
Likely Case
DNS redirection to phishing sites, ad injection, or malware distribution affecting all connected devices.
If Mitigated
No impact if devices are properly isolated or replaced with supported hardware.
🎯 Exploit Status
Exploitation observed in the wild by Shadowserver Foundation on 2025-11-27. Previously leveraged by GhostDNS malware in 2019.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
Restart Required: No
Instructions:
No official patch available. All affected devices are end-of-life. Replace with supported hardware.
🔧 Temporary Workarounds
Disable WAN management access
allPrevent external access to router management interface
Use firewall rules to block dnscfg.cgi
allBlock access to vulnerable endpoint
🧯 If You Can't Patch
- Replace affected routers with supported hardware
- Isolate vulnerable devices in separate network segments
🔍 How to Verify
Check if Vulnerable:
Check if device model is in affected D-Link DSL/DIR/DNS series and is end-of-lifeCheck Version:
Check router web interface or console for model and firmware versionVerify Fix Applied:
Verify device has been replaced with supported hardware📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to /dnscfg.cgi endpoint
- DNS configuration changes from unauthenticated sources
Network Indicators:
- Unexpected DNS server changes
- Traffic redirected to unknown IPs
SIEM Query:
source_ip=* AND uri_path="/dnscfg.cgi" AND http_status=200 AND auth_status="unauthenticated"🔗 References
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10068
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
- https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint
