This D-Link Router Zero-Day Has Been Exploited Since November. There Is No Patch.

CVE-2026-0625 is a command injection vulnerability in four end-of-life D-Link router models: the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B. Exploitation by a Mirai botnet variant began in November 2025. D-Link disclosed the vulnerability in February 2026 and stated explicitly that no patch will be developed because all four models reached end of life before 2021. CISA added CVE-2026-0625 to the Known Exploited Vulnerabilities catalog in March 2026. There is no software fix available. The only remediation is replacing the hardware.

The Vulnerability

CVE-2026-0625 is a command injection flaw in the web-based management interface of the affected D-Link DSL router models. An unauthenticated attacker with network access to the device's management interface can inject operating system commands through a parameter in the web UI that is passed to a shell without sanitization. The injected commands execute with root privileges on the router's underlying Linux system.

Successful exploitation gives the attacker complete control over the router: they can modify routing tables, alter DNS resolver settings, intercept or redirect traffic, establish persistent backdoors, and use the device as a pivot point for attacks on other devices on the network. In the Mirai variant campaign observed since November 2025, the primary use is DDoS infrastructure: compromised routers are enrolled in a botnet used for volumetric UDP and TCP flood attacks.

The four affected models were popular DSL gateway routers distributed by ISPs in the Asia-Pacific region, Latin America, and parts of Europe between approximately 2013 and 2020. D-Link ended security support for these models between 2019 and 2021. Despite being out of support for three to seven years, millions of these devices remain deployed globally, many still in use as the primary gateway router for homes and small businesses that were issued the device by their ISP and have never replaced it.

Six Months of Unpatched Exploitation

The timeline here is notable. The Mirai variant began targeting these devices in November 2025. Security researchers identified the campaign and reported the vulnerability to D-Link in December 2025. D-Link published an advisory in February 2026, more than two months after exploitation began, confirming the vulnerability and declining to develop a fix due to EOL status. CISA added it to the KEV catalog in March 2026. As of May 2026, exploitation is ongoing and the devices remain unpatched.

From November 2025 through the current date, any internet-exposed affected D-Link device has been vulnerable to trivial exploitation with no technical barrier. The Mirai campaign is fully automated: scan, detect model fingerprint, inject payload, enroll in botnet. A device compromised last November may have been running Mirai DDoS software for six months, participating in attacks against targets worldwide, while the owner noticed nothing unusual about their internet connection.

The Broader EOL Device Problem

CVE-2026-0625 is not an isolated incident. It is a specific instance of a systemic problem: millions of IoT devices, SOHO routers, and embedded systems remain deployed long past the point where their manufacturers provide security updates. Every such device in production is a permanent, unresolvable attack surface. No patch management program can fix a device whose vendor has stopped writing patches.

The problem is particularly acute for ISP-provided equipment. When an ISP issues a router to a subscriber, that device typically has no automatic replacement cycle. The subscriber uses it until it stops working, not until it becomes insecure. ISPs in the affected regions where the D-Link models were deployed have done little to proactively reach out to subscribers to replace end-of-life hardware, creating a long tail of vulnerable infrastructure that persists for years after EOL.

CISA's inclusion of EOL devices in the KEV catalog is notable because it signals that the agency considers them an active threat, not a theoretical one. The practical implication for organizations is that EOL network devices in production environments need to be tracked in an asset inventory with explicit replacement timelines. A device that cannot be patched needs a sunset date, not just a flag in the inventory.

Remediation and Compensating Controls

The primary remediation is hardware replacement. The four affected models should be removed from service and replaced with current devices receiving active security support. This is the only complete fix.

If immediate hardware replacement is not operationally possible, the following compensating controls reduce but do not eliminate risk:

• Disable remote management access: ensure the router's web interface is not accessible from the WAN side; this requires local access to verify
• Restrict management interface access to specific LAN IPs if the router's ACL functionality supports it
• Change the default admin credentials if they have not been changed; this does not stop CVE-2026-0625 (unauthenticated), but limits other exploitation paths
• Monitor outbound traffic from the device for unusual high-volume patterns that may indicate Mirai DDoS activity
• Check the router's DNS resolver settings for unauthorized changes to upstream DNS servers, as Mirai variants often modify DNS as a secondary objective

For organizations and ISPs managing large populations of these devices: deploy a network scanning tool to identify all remaining affected models. Prioritize replacement for any device with the management interface accessible from the internet. Develop a communication strategy for end users who need to replace their own equipment.