Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
AnalysisAI
Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated.
Technical ContextAI
This is a CWE-798 (Use of Hard-coded Credentials) vulnerability affecting the D-Link DIR-600L Hardware Revision A1 firmware. The device executes /bin/telnetd.sh at boot, launching a custom telnetd binary configured with the -u flag to specify username:password combinations. Authentication credentials are hardcoded in the /etc/alpha_config/image_sign configuration file and validated via insecure strcmp() comparison in a custom login binary. The 'Alphanetworks' username suggests this may be a manufacturer debugging interface left active in production firmware. The telnet protocol itself transmits credentials in cleartext, compounding the security failure. The CPE identifier cpe:2.3:a:d-link:dir-600l_firmware confirms this affects the device firmware rather than just configuration, meaning the backdoor exists in the base image distributed by D-Link. As an EOL product, the firmware will remain vulnerable indefinitely.
RemediationAI
Immediate device replacement is the only effective remediation, as D-Link will not release patches for this EOL hardware revision. Organizations should identify all DIR-600L Hardware Revision A1 units via asset inventory, remove them from production networks, and replace with currently supported router models. As a temporary risk reduction measure until replacement, implement network-layer controls: configure upstream firewalls or VLANs to block all inbound TCP port 23 (telnet) traffic to affected devices, disable telnet access in router web interface if the option exists (though the daemon launches via init scripts and may bypass UI controls), and isolate devices on separate network segments with strict ACLs preventing lateral movement. Monitor network traffic for telnet connections to DIR-600L units as an indicator of compromise. Note that blocking telnet does not eliminate the backdoor code-it only prevents remote exploitation while the credentials remain embedded in firmware. These compensating controls reduce attack surface but cannot provide equivalent security to patched firmware. Asset replacement timeline should be measured in days, not weeks, given the trivial exploitation and complete system compromise outcome.
The D-Link DIR-645 Wired/Wireless Router Rev. Rated high severity (CVSS 8.8), this vulnerability is no authentication re
The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set
Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. Rated critical severity (
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Rated high severity (CVSS 8.0)
Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated use
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?RE
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. Rated medium severity (CVSS 4.3), thi
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remot
A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals
The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an
An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmw
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27027