Alerts

Critical Zero-Day in D-Link DSL Gateways Under Active Exploitation

Zero Day Wire

1 min read
Critical Zero-Day in D-Link DSL Gateways Under Active Exploitation

A severe command injection vulnerability in end-of-life D-Link DSL gateway devices is being actively exploited by threat actors, with no patch forthcoming from the manufacturer.

The Vulnerability

Tracked as CVE-2026-0625 with a critical CVSS score of 9.3, the flaw exists in the dnscfg.cgi component responsible for handling DNS configuration. Due to insufficient input sanitization, remote attackers can inject malicious shell commands without authentication—achieving full remote code execution on vulnerable devices.

Active Exploitation Confirmed

Vulnerability intelligence firm VulnCheck has linked the vulnerable endpoint to previous DNSChanger campaigns that targeted D-Link gateways between 2016 and 2019. Affected models from those earlier attacks included:

  • DSL-2740R
  • DSL-2640B
  • DSL-2780B
  • DSL-526B

Telemetry from The Shadowserver Foundation indicates that exploitation of CVE-2026-0625 began in late November 2025, confirming this is being weaponized as a zero-day in the wild.

D-Link has acknowledged the vulnerability but confirmed that all affected devices are legacy products that reached end-of-life or end-of-support over five years ago. The company will not release a security patch.

"D-Link continues a detailed firmware-level review to determine affected devices," the company stated. "An updated list of specific models will be published later this week."

The vendor's official recommendation: retire and replace affected gateways with currently supported hardware.

Potential Impact

Compromised D-Link gateways could be leveraged for:

  • DDoS botnets – Adding firepower to distributed attacks
  • Proxy infrastructure – Routing malicious traffic through residential IPs
  • Traffic interception – Redirecting DNS queries to attacker-controlled servers
  • Network pivoting – Using the gateway as a foothold to move laterally within internal networks

Recommendations

Organizations and home users with older D-Link DSL gateways should:

  1. Check if your device is affected – Monitor D-Link's advisory for the updated model list
  2. Replace legacy hardware immediately – No patch will be issued
  3. Monitor for signs of compromise – Unusual DNS behavior, unexpected outbound connections
  4. Segment IoT/network devices – Limit exposure if replacement isn't immediately possible

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire