D-Link CVE-2026-0625 Zero-Day: DNS Hijack Risk for SAMA Banks

A critical zero-day vulnerability tracked as CVE-2026-0625 (CVSS 9.3) is being actively exploited in end-of-life D-Link DSL routers, enabling unauthenticated remote code execution and silent DNS hijacking. For SAMA-regulated financial institutions, the threat is not the router itself — it is the customer sitting behind it, whose online banking session can now be redirected to attacker-controlled infrastructure without any visible warning.

Inside CVE-2026-0625: An Unpatched Door Into Customer Networks

The flaw resides in the dnscfg.cgi handler exposed by several legacy D-Link DSL gateway models, including the DSL-2740R, DSL-2640B, DSL-2780B, and DSL-526B firmware variants shipped between 2016 and 2019. Because user-supplied DNS configuration parameters are not properly sanitized, a remote, unauthenticated attacker can inject and execute arbitrary shell commands by simply sending a crafted HTTP request to the device's web management interface. Active exploitation has been observed since late November 2025, with attacker tooling specifically focused on overwriting primary and secondary DNS entries — the textbook DNSChanger pattern.

The most damaging detail is what is missing from the advisory: a patch. D-Link declared all four affected model lines End of Life in early 2020 and has confirmed no firmware update will be released. The devices are effectively abandonware, permanently exposed to a CVSS 9.3 RCE that requires no credentials and no user interaction.

From Home Router to Banking Trojan Infrastructure

DNS hijacking is one of the oldest tricks in fraud operations, but its current weaponization is far more sophisticated. Once an attacker controls the resolver entries on a victim's router, every device on that network — laptops, mobile phones, smart TVs — silently accepts attacker-defined IPs for legitimate domains. Banking apps configured with certificate pinning may resist outright, but browser-based portals, password reset flows, and email clients used for BEC remain wide open. Researchers tracking the campaign have documented the redirected traffic landing on phishing kits that mirror Saudi and GCC bank login screens pixel-for-pixel, harvest credentials, and relay one-time passwords through reverse-proxy frameworks such as Evilginx.

Compromised routers are also being chained into traffic-distribution systems used by initial access brokers. That means a single hijacked DSL-2640B in a customer's home today can become the staging ground for a corporate Microsoft 365 takeover tomorrow, especially when the same household contains a remote worker employed by a regulated entity.

Impact on Saudi Financial Institutions

SAMA-regulated banks rarely operate D-Link DSL routers inside their own perimeter, so the natural reaction is to dismiss CVE-2026-0625 as a consumer issue. That conclusion is wrong under both the SAMA Cyber Security Framework and NCA ECC. Control 3.3.10 of the SAMA CSF explicitly extends customer protection responsibilities to "online banking channels," and the SAMA Cyber Security Compliance Coordination (CSCC) program treats fraud originating from compromised customer endpoints as an institutional risk metric. NCA ECC sub-control 2-9-1 on email security and 2-10-1 on web application protection are equally implicated, because hijacked DNS resolves attacker-controlled mail exchangers for BEC and credential phishing.

For banks already aligned with PCI-DSS v4.0, requirement 5.4.1 on phishing defense and 11.6.1 on payment page integrity also become relevant — a customer reaching a cloned payment page through a DNS-hijacked resolver still represents a cardholder data exposure event from the regulator's perspective. Saudi PDPL adds a final layer: any leakage of customer authentication data caused by inadequate fraud monitoring may trigger notification obligations to the Saudi Data and AI Authority (SDAIA).

Detection and Mitigation Steps

1. Hunt for outbound DNS traffic from customer sessions that does not resolve through your published recursive resolvers — flag any session where the bank's domain is reached via a non-Saudi or non-GCC IP block as a potential DNSChanger indicator.
2. Force certificate pinning and HTTP Strict Transport Security (HSTS) preloading on all customer-facing web and mobile banking origins, and reject any TLS chain that does not match your issued leaf certificates.
3. Deploy DNS-over-HTTPS (DoH) inside the bank's official mobile app to bypass the user's local resolver entirely, eliminating router-level DNS hijacking as an attack vector.
4. Update fraud-detection rules to score logins where the client resolver IP does not belong to a known Saudi ISP recursive pool — pair this with device-fingerprint binding to detect session relay through Evilginx-style proxies.
5. Issue a customer advisory through SMS and in-app notifications recommending replacement of any D-Link DSL-2740R, DSL-2640B, DSL-2780B, or DSL-526B router still in service, and provide a clear list of supported alternatives.
6. Map this incident into your SAMA CSCC quarterly self-assessment under the "third-party and customer endpoint risk" section, and document the compensating controls deployed.

Conclusion

CVE-2026-0625 is a reminder that the regulated perimeter of a Saudi bank now extends into the living rooms of its customers. With no vendor patch coming and active exploitation already underway, the only durable defense is to assume customer-side DNS is untrusted and to rebuild authentication, session integrity, and fraud telemetry around that assumption. Regulators will not accept "the customer's router was compromised" as a root cause when the controls to detect and absorb that compromise were within the institution's reach.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on customer-side fraud telemetry, DNS integrity, and CSCC alignment.