Vulnerability Description
Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly requesting this endpoint, an attacker can modify the device’s DNS settings without valid credentials, enabling DNS hijacking (“DNSChanger”) attacks that redirect user traffic to attacker-controlled infrastructure. In 2019, D-Link reported that this behavior was leveraged by the "GhostDNS" malware ecosystem targeting consumer and carrier routers. All impacted products were subsequently designated end-of-life/end-of-service, and no longer receive security updates. Exploitation evidence was observed by the Shadowserver Foundation on 2025-11-27 (UTC).
Related Weaknesses (CWE)
References
- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP1
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10118
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10488
- https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configu
FAQ
What is CVE-2026-0625?
CVE-2026-0625 is a documented vulnerability. Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configur...
How severe is CVE-2026-0625?
CVSS scoring is not yet available for CVE-2026-0625. Check NVD for updates.
Is there a patch for CVE-2026-0625?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.