Skip to main content

D-Link DIR-600L CVE-2026-42374

| EUVDEUVD-2026-27025 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-05-04 securin
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 17:00 vuln.today
EUVD ID Assigned
May 04, 2026 - 16:30 euvd
EUVD-2026-27025
Analysis Generated
May 04, 2026 - 16:30 vuln.today
CVE Published
May 04, 2026 - 16:00 nvd
CRITICAL 9.8

DescriptionCVE.org

D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control.  The device has reached End-of-Life (EOL) and will not receive patches.

AnalysisAI

D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification.

Technical ContextAI

The DIR-600L firmware implements a persistent telnet service through /bin/telnetd.sh that launches at boot time with hardcoded credentials stored in cleartext within /etc/alpha_config/image_sign. The custom telnetd binary uses a non-standard '-u user:password' flag for authentication, while the associated login binary performs credential validation using strcmp() against the static values. This represents CWE-798 (Use of Hard-coded Credentials), a fundamental design flaw where authentication secrets are embedded in the product rather than user-configurable. The CPE identifier (cpe:2.3:a:d-link:dir-600l_firmware) indicates all firmware versions for Hardware Revision B1 are affected, as this backdoor appears to be an intentional design element rather than an accidental vulnerability-potentially for manufacturer remote support access.

RemediationAI

D-Link will not release patches for the EOL DIR-600L Hardware Revision B1-permanent remediation requires replacing affected devices with currently supported router models. For organizations unable to immediately replace hardware, implement network-level isolation: place affected routers behind a firewall that blocks inbound telnet (TCP/23) from all sources, restrict management access to a dedicated out-of-band management VLAN, and deploy network monitoring to detect telnet connection attempts to the device. Deploy compensating controls including disabling remote management features if configurable through the web interface, implementing 802.1X port-based network access control on the LAN side to limit who can reach the router's IP address, and segmenting the network so the router only routes between untrusted and trusted zones without hosting critical management functions. WARNING: These mitigations only reduce attack surface-the backdoor remains in firmware and could be exploited by any attacker who gains LAN access through other means (rogue access point, compromised endpoint, physical access). The telnet service likely cannot be disabled without custom firmware modification. Priority should be immediate budget allocation for hardware replacement rather than long-term reliance on compensating controls.

More in D-Link

View all
CVE-2015-2051 HIGH POC
8.8 Feb 23

The D-Link DIR-645 Wired/Wireless Router Rev. Rated high severity (CVSS 8.8), this vulnerability is no authentication re

CVE-2015-1187 CRITICAL POC
9.8 Sep 21

The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr

CVE-2022-26258 CRITICAL POC
9.8 Mar 28

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set

CVE-2014-3936 CRITICAL POC
10.0 Jun 02

Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. Rated critical severity (

CVE-2014-100005 HIGH POC
8.0 Jan 13

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Rated high severity (CVSS 8.0)

CVE-2015-2049 CRITICAL POC
9.0 Feb 23

Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated use

CVE-2017-12943 CRITICAL POC
9.8 Aug 18

D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?RE

CVE-2013-7389 MEDIUM POC
4.3 Jul 07

Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. Rated medium severity (CVSS 4.3), thi

CVE-2015-7245 HIGH POC
7.5 Apr 24

Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remot

CVE-2024-57045 CRITICAL POC
9.8 Feb 18

A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals

CVE-2013-10069 CRITICAL POC
10.0 Aug 05

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an

CVE-2013-10048 CRITICAL POC
9.3 Aug 01

An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmw

Share

CVE-2026-42374 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy