Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
AnalysisAI
D-Link DIR-600L Hardware Revision B1 routers expose a hardcoded telnet backdoor granting unauthenticated remote attackers root shell access via static credentials ('Alphanetworks' / 'wrgn61_dlwbr_dir600L'). The vulnerability affects End-of-Life devices that will never receive patches, making permanent network isolation or replacement the only remediation options. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and publicly documented credentials, this represents critical risk for any exposed device, though exploitation requires local network access despite the 'Network' attack vector classification.
Technical ContextAI
The DIR-600L firmware implements a persistent telnet service through /bin/telnetd.sh that launches at boot time with hardcoded credentials stored in cleartext within /etc/alpha_config/image_sign. The custom telnetd binary uses a non-standard '-u user:password' flag for authentication, while the associated login binary performs credential validation using strcmp() against the static values. This represents CWE-798 (Use of Hard-coded Credentials), a fundamental design flaw where authentication secrets are embedded in the product rather than user-configurable. The CPE identifier (cpe:2.3:a:d-link:dir-600l_firmware) indicates all firmware versions for Hardware Revision B1 are affected, as this backdoor appears to be an intentional design element rather than an accidental vulnerability-potentially for manufacturer remote support access.
RemediationAI
D-Link will not release patches for the EOL DIR-600L Hardware Revision B1-permanent remediation requires replacing affected devices with currently supported router models. For organizations unable to immediately replace hardware, implement network-level isolation: place affected routers behind a firewall that blocks inbound telnet (TCP/23) from all sources, restrict management access to a dedicated out-of-band management VLAN, and deploy network monitoring to detect telnet connection attempts to the device. Deploy compensating controls including disabling remote management features if configurable through the web interface, implementing 802.1X port-based network access control on the LAN side to limit who can reach the router's IP address, and segmenting the network so the router only routes between untrusted and trusted zones without hosting critical management functions. WARNING: These mitigations only reduce attack surface-the backdoor remains in firmware and could be exploited by any attacker who gains LAN access through other means (rogue access point, compromised endpoint, physical access). The telnet service likely cannot be disabled without custom firmware modification. Priority should be immediate budget allocation for hardware replacement rather than long-term reliance on compensating controls.
The D-Link DIR-645 Wired/Wireless Router Rev. Rated high severity (CVSS 8.8), this vulnerability is no authentication re
The ping tool in multiple D-Link and TRENDnet devices allow remote attackers to execute arbitrary code via the ping_addr
D-Link DIR-820L 1.05B03 was discovered to contain remote command execution (RCE) vulnerability via HTTP POST to get set
Stack-based buffer overflow in the do_hnap function in www/my_cgi.cgi in D-Link DSP-W215 (Rev. Rated critical severity (
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Rated high severity (CVSS 8.0)
Unrestricted file upload vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote authenticated use
D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attackers to read passwords via a model/__show_info.php?RE
Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. Rated medium severity (CVSS 4.3), thi
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remot
A vulnerability in the D-Link DIR-859 router with firmware version A3 1.05 and earlier permits unauthorized individuals
The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an
An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmw
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27025