A newly discovered vulnerability has been exploited in the wild to target outdated D-Link routers and hijack them, cybersecurity researchers have warned.
Software on older models of D-Link routers is failing to properly sanitize user input, allowing attackers to send specially crafted requests to the router without authentication. This means that they can inject and execute arbitrary shell commands remotely, effectively hijacking old routers.
According to a report from cybersecurity firm VulnCheck, the vulnerability has already been exploited in the wild since at least late November 2025. Researchers say that the issue of improper input sanitization starts in dnscfg.cgi library.
The affected endpoint is also tied to DNS modification behavior. The technique commonly referred to as DNSChanger enables attackers to silently redirect user traffic.
A broader campaign against D-Link
This issue relates to a broader class of attacks previously documented in 2016 and 2019 under the name GhostDNS.
The attacks targeted firmware variants of several DSL gateway models, including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B.
In January 2019, security researchers reported GhostDNS as a large-scale DNS hijacking system used for data theft.
Netlab, an information security research organization, reported at the time that more than 100,000 routers were affected worldwide, with a large concentration in Brazil. The affected devices included consumer and carrier-grade routers from multiple vendors, including D-Link.
“The recently referenced CVE-2026-0625 relates to the same general attack family as GhostDNS and DNSChanger. Many of the products cited in external reports reached end-of-life years ago and no longer receive firmware development or security updates,” writes D-Link in a security advisory.
Legacy devices are causing risks
According to D-Link, the exploited devices are legacy DSL gateways that reached end-of-life more than five years ago. These products no longer receive firmware updates, security patches, or engineering support.
D-Link confirmed it will not release a patch for CVE-2026-0625 and is urging customers to retire and replace affected devices with supported models.
“D-link recommends retiring affected legacy devices and replacing them with supported products that receive regular firmware updates,” the company states.
“Owners of such devices should review network security, verify firmware status, and take appropriate action based on individual risk and usage. For products sold in the US, you can get the last known assets prior to EOL/EOS.”
Watch out, routers are under attack
Routers have been on the radar of cybercriminals, with their use in conducting cyberattacks actively surging in numbers. In June 2025, hackers were reportedly actively exploiting vulnerabilities in popular TP-Link routers.
In the same month, the FBI listed thirteen vulnerable end-of-life Linksys models as an easy target for cybercriminals. In a recent campaign, threat actors breached end-of-life routers using variants of TheMoon malware.
Eclypsium researchers warned of a surge in malicious scans for old, outdated, and vulnerable network equipment. According to them, hackers are targeting compromised end-of-life Cisco, Linksys, and Araknis Networks devices.
In November the same year, a cyber-espionage campaign was detected, which hijacked more than 50,000 ASUS home routers, turning them into components of a covert network.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked