Attackers Exploit Zero-Day in End-of-Life D-Link Routers

Attackers Exploit Zero-Day in End-of-Life D-Link Routers

Hackers are actively exploiting a zero-day vulnerability (CVE-2026-0625, CVSS 9.3) in unsupported D-Link DSL gateway devices to execute arbitrary shell commands. This exploitation was first reported by VulnCheck on December 16, 2025, after observing active attacks in production environments.

The reality is that maintaining security for end-of-life devices is impossible without continued vendor support; ideal models assume timely patching, which is unavailable for these routers. The cost of neglecting end-of-life devices can include data breaches, network compromise, and remediation expenses potentially reaching hundreds of thousands of dollars.

Key Insights

• CVE-2026-0625 (2026): A command injection vulnerability in the dnscfg.cgi endpoint of D-Link routers.
• End-of-Life Risk: Unsupported devices lack security updates, creating long-term attack surfaces.
• CISA Catalog: Five D-Link vulnerabilities were added to CISA’s known exploited vulnerabilities catalog in 2025 alone, highlighting persistent risks.

Practical Applications

• Use Case: Small businesses utilizing older D-Link DSL gateways are at risk of network compromise and data theft.
• Pitfall: Prolonging the use of end-of-life network equipment due to budget constraints creates significant security vulnerabilities.

References:

• https://www.darkreading.com/cyberattacks-data-breaches/attackers-exploit-zero-day-end-of-life-d-link-routers