Auth bypass in D-link Dir-600

CVE-2026-0625

Multiple D-Link DSL/DIR/DNS devices contain an authentication bypass and improper access control vulnerability in the dnscfg.cgi endpoint that allows an unauthenticated attacker to access DNS configuration functionality. By directly reques…

Vulnerability class: Broken Authentication

EPSS: 0.004 (61.5th percentile) — read the EPSS interpretation.

Affected products

D-link Dir-600 — versions 0
D-link Dir-608 — versions 0
D-link Dir-610 — versions 0
D-link Dir-611 — versions 0
D-link Dir-615 — versions 0
D-link Dir-905l — versions 0
D-link Dns-320 — versions 0
D-link Dns-325 — versions 0
D-link Dns-345 — versions 0
D-link Dsl-2640b — versions 0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

disclosure@vulncheck.com (vendor-advisory, mitigation)
disclosure@vulncheck.com (vendor-advisory)
disclosure@vulncheck.com (vendor-advisory)
disclosure@vulncheck.com (third-party-advisory)