A critical flaw in legacy D-Link DSL routers lets unauthenticated attackers run commands and hijack DNS, with active exploitation reported.