BLUF

An OS command injection zero-day vulnerability in several discontinued D-Link gateway devices (DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B) is being actively exploited in the wild by unauthenticated, remote attackers.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For groups affected by active exploitation of CVE-2026-0625 in discontinued D-Link gateway devices:

• Low-end total cost: $500,000 – $750,000
  (Limited device footprint, rapid isolation, minimal downstream impact)

• Typical expected range: $900,000 – $1.6M
  (Multiple affected gateways, DNS assurance efforts, and compliance review)

• Upper-bound realistic scenarios: $2M – $3.5M
  (Widespread deployment, prolonged exposure, insurance and regulatory complications)

Key cost driver:

Costs are driven less by immediate outages and more by loss of trust in core network control points. Router-level compromise and DNS manipulation force organizations to validate traffic integrity, credentials, and routing assumptions across the enterprise. The lack of vendor support or patching extends recovery timelines and increases assurance, governance, and replacement costs well beyond initial containment.

Targeted Sectors

·         General users

·         Home

·         Small business users of the specific D-Link devices.

Targeted Countries

·         Global

Date of First Reported Activity

·         Late November 2025

Date of Last Reported Activity Update

·         January 7, 2026

CVE-2026-0625

CVSS:3.1

·         (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·         Not publicly available/published yet.

Is CVE-2026-0625 on the KEV list?

·         No

Patching

The D-Link devices are discontinued and no longer supported by the vendor

No official patch will be released.

Mitigation

The primary recommendation is to disconnect the affected devices from the internet immediately and replace them with supported, updated hardware.

APT Names

·         No APT groups have been associated with CVE-2026-0625 at this time.

Associated Criminal Organization Names

·         No Criminal organizations have been associated with CVE-2026-0625 at this time.

IOCs

Network Indicators

·         Targeted URL/Endpoint

Requests directed at http://[device_ip]/dnscfg.cgi.

·         Malicious Payloads

·         HTTP POST or GET requests containing shell metacharacters (e.g., ;, &, |, `) within DNS-related parameters intended to trigger command injection.

Tools Used in Campaign

·         Exploitation involves manipulating DNS configuration parameters to inject and execute arbitrary shell commands.

TTPs

·         T1202 Indirect Command Execution

o   Attackers leverage the vulnerable dnscfg.cgi endpoint to execute arbitrary shell commands via DNS configuration parameters.

·         T1190 Exploit Public-Facing Application

o   This vulnerability targets an externally accessible CGI endpoint on the router gateway to gain initial access or execution.

Potential Secondary Post-Exploitation TTPs

Based on historical and current observed behavior of this vulnerability (including its use in "DNSChanger" campaigns), threat actors may also employ:

·         T1565.003 Data Manipulation: Stored Data Manipulation

o   Specific campaigns (historically and recently) use this flaw to modify DNS settings, redirecting downstream traffic.

·         T1059.004 Command and Scripting Interpreter: Unix Shell

o   The OS command injection allows for the execution of arbitrary shell commands within the router's Unix-like firmware environment.

·         T1584.005 Compromise Infrastructure: Botnet

o   Compromised devices are frequently integrated into botnets for DDoS attacks or as proxies.

Malware Names

·         There is no malware associated with this campaign at this time.

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

HTTP POST/GET requests targeting the vulnerable endpoint, specifically looking for common command injection characters (;, &, |, `) within the URI or body content.

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link dnscfg.cgi Command Injection (CVE-2026-0625)"; flow:established,to_server; http.uri; content:"/dnscfg.cgi"; fast_pattern; http.content_body; pcre:"/[;&|`]/"; reference:cve,2026-0625; classtype:attempted-admin; sid:20260625; rev:1;)

SentinelOne

Hunt for unauthorized management traffic to D-Link devices:

EventType = "Network Connection" AND (DstPort = 80 OR DstPort = 443) AND NetUrl CONTAINS "dnscfg.cgi"

Identify unexpected shell activity following a connection to a gateway:

ProcessName IN ("sh", "bash", "busybox") AND ParentProcessName IN ("httpd", "webserver")

Splunk

Search for requests to the vulnerable endpoint containing injection characters.

index=web_logs uri_path="*/dnscfg.cgi*" (uri_query="*&*" OR uri_query="*;*" OR uri_query="*|*" OR uri_query="*`*")

| stats count by src_ip, uri_path, user_agent, status

Search for unusual internal-to-external traffic originating from a gateway IP that may indicate a reverse shell.

index=network_traffic src_ip IN (LIST_OF_GATEWAY_IPS) dest_port!=53 dest_port!=80 dest_port!=443

| table _time, src_ip, dest_ip, dest_port, bytes_out

Delivery Method

o   Remote unauthenticated OS command injection attack via network access to vulnerable device interfaces.

Email Samples

o   Not applicable. This is an open network attack

References

Tenable

·         hxxps://www.tenable.com/cve/CVE-2026-0625

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2026-0625

Security Week

·         hxxps://www.securityweek.com/hackers-exploit-zero-day-in-discontinued-d-link-devices/