CVE-2026-42375
Analyzed Analyzed - Analysis Complete
Hardcoded Telnet Backdoor in D-Link DIR-600L

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: securin

Description
D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42375
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dlink dir-600l_firmware *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unauthenticated attacker on the local network to gain root shell access with full administrative control due to a hardcoded telnet backdoor in the D-Link DIR-600L device. Such unauthorized access can lead to compromise of sensitive data and system integrity.

Because the device is End-of-Life and will not receive patches, this increases the risk of exploitation and potential data breaches.

Consequently, organizations using this device may face challenges in maintaining compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure access controls.

Executive Summary

The D-Link DIR-600L Hardware Revision A1 contains a hardcoded telnet backdoor. This means the device automatically starts a telnet service at boot with a fixed username "Alphanetworks" and a static password "wrgn35_dlwbr_dir600l". The telnet daemon uses a custom binary that accepts user credentials via a specific flag, and the login process uses a simple string comparison to validate these credentials. Because of this, an attacker on the local network can authenticate without proper authorization and gain a root shell, giving them full administrative control over the device.

Additionally, the device is End-of-Life (EOL), so it will not receive any patches or security updates to fix this vulnerability.

Impact Analysis

This vulnerability allows an unauthenticated attacker on the local network to gain root access to the device. With root shell access, the attacker can fully control the device, potentially leading to unauthorized changes, data theft, network compromise, or using the device as a launch point for further attacks.

Detection Guidance

This vulnerability can be detected by scanning the local network for devices running a telnet daemon that accepts the hardcoded username "Alphanetworks" with the static password "wrgn35_dlwbr_dir600l".

You can attempt to connect to the device's telnet service using the known credentials to verify if the backdoor is present.

  • Use a network scanning tool like nmap to detect open telnet ports (port 23) on devices in your network: nmap -p 23 --open <target-ip-range>
  • Attempt to login via telnet using the hardcoded credentials: telnet <device-ip> and then enter username "Alphanetworks" and password "wrgn35_dlwbr_dir600l"
Mitigation Strategies

Since the device is End-of-Life and will not receive patches, immediate mitigation steps include disabling the telnet service if possible or removing the device from the network.

If disabling telnet is not feasible, isolate the device on a separate network segment to prevent unauthorized local network access.

Consider replacing the device with a supported model that receives security updates.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart