A serious security flaw has been identified in older D-Link DSL gateway routers, known as CVE-2026-0625. This vulnerability has a CVSS score of 9.3 and allows unauthenticated remote attackers to execute arbitrary shell commands through a command injection in the "dnscfg.cgi" endpoint. The flaw affects various models, including the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B, which were produced between 2016 and 2019. The issue stems from improper handling of DNS configuration parameters, and exploitation attempts have already been observed as of late November 2025. D-Link has begun an internal investigation following a report from VulnCheck about the ongoing exploitation. The company acknowledged the challenges in determining which models are affected due to differences in firmware across product generations. Some of the impacted models have reached end-of-life status as of early 2020 and will not receive patches. D-Link plans to release a detailed list of affected models once its review is complete. Field Effect highlighted the potential risks associated with this vulnerability, noting that it mirrors mechanisms used in past DNS hijacking campaigns. By exploiting this flaw, attackers can manipulate DNS settings without needing user interaction, potentially compromising all devices connected to the router. D-Link urges users of these legacy models to upgrade to newer devices that receive regular security updates, as continuing to use these outdated routers significantly increases operational risks.