Skip to main content

D-Link DIR-600L CVE-2026-42375

| EUVDEUVD-2026-27027 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-05-04 securin
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 04, 2026 - 17:01 vuln.today
EUVD ID Assigned
May 04, 2026 - 16:30 euvd
EUVD-2026-27027
Analysis Generated
May 04, 2026 - 16:30 vuln.today
CVE Published
May 04, 2026 - 16:02 nvd
CRITICAL 9.8

DescriptionCVE.org

D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

AnalysisAI

Remote root shell access via hardcoded telnet backdoor in D-Link DIR-600L Hardware Revision A1 allows network-adjacent attackers to authenticate with publicly known credentials ('Alphanetworks' / 'wrgn35_dlwbr_dir600l') and obtain full administrative control. The backdoor telnet daemon launches automatically at boot with static credentials stored in /etc/alpha_config/image_sign. The device is End-of-Life with no patches forthcoming, creating permanent exposure for deployed units. EPSS data not available; no CISA KEV listing identified, though the trivial exploitation complexity (CVSS AC:L, PR:N) and public disclosure make exploitation highly likely once details are disseminated.

Technical ContextAI

This is a CWE-798 (Use of Hard-coded Credentials) vulnerability affecting the D-Link DIR-600L Hardware Revision A1 firmware. The device executes /bin/telnetd.sh at boot, launching a custom telnetd binary configured with the -u flag to specify username:password combinations. Authentication credentials are hardcoded in the /etc/alpha_config/image_sign configuration file and validated via insecure strcmp() comparison in a custom login binary. The 'Alphanetworks' username suggests this may be a manufacturer debugging interface left active in production firmware. The telnet protocol itself transmits credentials in cleartext, compounding the security failure. The CPE identifier cpe:2.3:a:d-link:dir-600l_firmware confirms this affects the device firmware rather than just configuration, meaning the backdoor exists in the base image distributed by D-Link. As an EOL product, the firmware will remain vulnerable indefinitely.

RemediationAI

Immediate device replacement is the only effective remediation, as D-Link will not release patches for this EOL hardware revision. Organizations should identify all DIR-600L Hardware Revision A1 units via asset inventory, remove them from production networks, and replace with currently supported router models. As a temporary risk reduction measure until replacement, implement network-layer controls: configure upstream firewalls or VLANs to block all inbound TCP port 23 (telnet) traffic to affected devices, disable telnet access in router web interface if the option exists (though the daemon launches via init scripts and may bypass UI controls), and isolate devices on separate network segments with strict ACLs preventing lateral movement. Monitor network traffic for telnet connections to DIR-600L units as an indicator of compromise. Note that blocking telnet does not eliminate the backdoor code-it only prevents remote exploitation while the credentials remain embedded in firmware. These compensating controls reduce attack surface but cannot provide equivalent security to patched firmware. Asset replacement timeline should be measured in days, not weeks, given the trivial exploitation and complete system compromise outcome.

More in D-Link

View all
CVE-2015-2051 HIGH POC
8.8 Feb 23

The D-Link DIR-645 Wired/Wireless Router Rev. Rated high severity (CVSS 8.8), this vulnerability is no authentication re

CVE-2015-1187 CRITICAL POC
9.8 Sep 21

The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr

CVE-2022-26258 CRITICAL POC
9.8 Mar 28

D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set

CVE-2014-3936 CRITICAL POC
10.0 Jun 02

Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. Rated critical severity (

CVE-2014-100005 HIGH POC
8.0 Jan 13

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Rated high severity (CVSS 8.0)

CVE-2015-2049 CRITICAL POC
9.0 Feb 23

Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated use

CVE-2017-12943 CRITICAL POC
9.8 Aug 18

D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?RE

CVE-2013-7389 MEDIUM POC
4.3 Jul 07

Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. Rated medium severity (CVSS 4.3), thi

CVE-2015-7245 HIGH POC
7.5 Apr 24

Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remot

CVE-2024-57045 CRITICAL POC
9.8 Feb 18

A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals

CVE-2013-10069 CRITICAL POC
10.0 Aug 05

The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an

CVE-2013-10048 CRITICAL POC
9.3 Aug 01

An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmw

Share

CVE-2026-42375 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy