Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
AnalysisAI
Hardcoded telnet backdoor in D-Link DIR-605L Hardware Revision B2 firmware enables unauthenticated root access for remote attackers on the local network using static credentials 'Alphanetworks:wrgn76_dlwbr_dir605L'. The telnet daemon starts automatically at boot, validating credentials via strcmp() against hardcoded values in /etc/alpha_config/image_sign, granting complete administrative control to anyone who knows the password. This End-of-Life device will receive no security patches. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted disclosure rather than widespread exploitation campaigns.
Technical ContextAI
The vulnerability stems from CWE-798 (Use of Hard-coded Credentials) implemented in the device's custom telnet authentication stack. At boot, /bin/telnetd.sh launches a modified telnetd binary that accepts a -u flag to set static credentials. The custom login binary uses strcmp() for credential validation against hardcoded values stored in /etc/alpha_config/image_sign. This backdoor appears intentional rather than accidental, using 'Alphanetworks' as the username - matching the ODM manufacturer behind various D-Link products. The CPE identifier cpe:2.3:a:d-link:dir-605l_firmware:*:*:*:*:*:*:*:* indicates all firmware versions for Hardware Revision B2 are affected, with the wildcard version field suggesting no version-specific mitigation exists within this hardware line.
RemediationAI
No vendor patch will be released - D-Link has designated Hardware Revision B2 as End-of-Life. Immediate action required: Replace affected DIR-605L B2 devices with currently supported router models from any vendor. Interim risk reduction (until replacement): Disable telnet service if firmware interface permits (unlikely given backdoor implementation), isolate device on separate VLAN with strict firewall rules blocking TCP port 23 inbound from all network segments, implement network access control (NAC) to restrict which devices can reach router management plane, deploy intrusion detection signatures for telnet authentication attempts using username 'Alphanetworks'. Trade-offs: disabling telnet may not be possible through standard interface if backdoor bypasses normal service controls; VLAN isolation reduces attack surface but adds network segmentation complexity; blocking port 23 at upstream firewall protects from lateral movement but requires attacker already breached internal network. All mitigations are temporary - hardware replacement is the only permanent remediation for devices with burned-in authentication backdoors.
The D-Link DIR-645 Wired/Wireless Router Rev. Rated high severity (CVSS 8.8), this vulnerability is no authentication re
The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set
Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. Rated critical severity (
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Rated high severity (CVSS 8.0)
Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated use
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?RE
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. Rated medium severity (CVSS 4.3), thi
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remot
A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals
The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an
An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmw
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27023