A critical command injection zero-day in legacy D-Link DSL gateways — tracked as CVE-2026-0625 with a CVSS score of 9.3 — is being actively exploited in the wild. For Saudi financial institutions operating branch networks, ATMs over consumer-grade backhaul, and an expanded remote workforce, the flaw reopens an old but dangerous attack surface: the unmanaged edge.

Inside CVE-2026-0625: Unauthenticated RCE via DNS Configuration

The vulnerability lives in the dnscfg.cgi endpoint of multiple end-of-life D-Link DSL gateway models, including DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B. The endpoint fails to sanitize input passed to DNS configuration commands, allowing a remote attacker to inject arbitrary shell commands disguised as DNS server values. Because these models reached end-of-support more than five years ago, no vendor patch is forthcoming. VulnCheck disclosed the issue to D-Link in December 2025, and exploitation has since accelerated through 2026 — including campaigns that pivot the same flaw into classic DNSChanger behavior, silently rerouting victim traffic through attacker-controlled resolvers.

Why DNS Hijacking Is a Banking Threat, Not a Consumer One

Once an attacker controls the DNS resolver of a router that sits between a user and the internet, every banking session, OAuth callback, and certificate validation check becomes a potential man-in-the-middle target. Combined with phishing kits that mimic Saudi bank portals and Mada payment screens, DNS hijacking enables transparent credential theft, two-factor relay, and session token capture without ever touching the bank's own infrastructure. The recent rise of consumer-grade equipment inside small branches, microfinance offices, partner agencies, and the home offices of privileged staff means this is no longer a "home user" problem.

Impact on Saudi Financial Institutions

SAMA Cyber Security Framework controls 3.3 (Asset Management) and 4.1 (Network Security), together with NCA ECC-1:2018 subdomains 2-5 (Networks Security) and 2-6 (Mobile Devices Security), require regulated entities to maintain a complete inventory of edge and network devices, enforce hardening baselines, and replace or compensate for unsupported equipment. CVE-2026-0625 is precisely the kind of finding an SAMA on-site review or a PCI-DSS 4.0 requirement 1 assessment will flag. Worse, if an attacker pivots from a compromised branch router into the corporate VPN concentrator, the breach narrative shifts from "vendor flaw" to "failure of network segmentation" — a finding that has historically driven multimillion-riyal remediation programs and forced executive-level reporting under SAMA Circular 381000091275.

Defensive Playbook: Practical Steps This Week

  1. Run an authenticated discovery sweep across every branch, ATM site, partner location, and known remote-work IP range. Tools such as runZero, Rumble, or even nmap with HTTP banner grabbing will quickly surface D-Link DSL models, even when they are not managed by IT.
  2. Block outbound access to the affected dnscfg.cgi path at perimeter and SD-WAN firewalls, and alert on any device whose configured DNS resolvers fall outside the bank's approved list (typically the internal resolvers or vetted public resolvers).
  3. Quarantine and replace any device matching the affected model family. There is no patch — only replacement with currently supported, hardened equipment that supports DNS-over-HTTPS to a managed resolver and centralized logging.
  4. Instrument DNS telemetry. Forward resolver logs to the SOC and alert on first-time resolution of newly registered domains, fast-flux patterns, or queries to non-approved resolvers — these are the high-fidelity indicators of a DNSChanger-style compromise.
  5. Refresh the third-party and remote-work risk register. Under SAMA CSCC 4.4 and NCA ECC 4-1, the responsibility for unsupported devices in agency or remote-work scenarios sits with the regulated entity, not the contractor.
  6. Add CVE-2026-0625 indicators to the threat intelligence feed used by the SOC, and correlate with any anomalous certificate warnings reported by online banking, mobile banking, or trading-platform users in the past 90 days.

Conclusion

CVE-2026-0625 is a reminder that the weakest device on a network often defines the security posture of the institution behind it. For Saudi banks accelerating branch transformation, agency banking, and hybrid-work models, the edge is no longer the perimeter — it is the new frontline. Discovery, segmentation, and disciplined end-of-life governance are the controls that turn a vendor zero-day into a non-event rather than a regulatory incident.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on branch, edge, and remote-work network security.