CVE-2026-42373

CriticalPublic PoC

Published: 04 May 2026

Published

04 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 31.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a…

-u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of unsupported end-of-life devices like the D-Link DIR-605L, preventing deployment or continued operation of systems with unpatchable hardcoded backdoors.

SI-2 Flaw Remediation good match

prevent

Requires identification, prioritization, and remediation of flaws such as this hardcoded telnet backdoor, necessitating replacement or isolation of the affected EOL router.

SC-7 Boundary Protection good match

prevent

Enforces boundary protection to monitor and control communications at system boundaries, isolating the telnet service from untrusted local network access.

Security SummaryAI

CVE-2026-42373 is a hardcoded credential vulnerability (CWE-798) in the D-Link DIR-605L Hardware Revision B2 router, an end-of-life (EOL) device. The flaw involves a telnet backdoor daemon launched at boot via the /bin/telnetd.sh script, which configures the service with a static username of "Alphanetworks" and password "wrgn76_dlwbr_dir605L" sourced from /etc/alpha_config/image_sign. A custom telnetd binary accepts a -u user:password flag, while the custom login binary performs credential validation using strcmp(). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker with access to the local network can exploit this by connecting to the telnet service using the hardcoded credentials, gaining a root shell with full administrative control over the device.

Advisories, including those published by Securin at https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-605l-b2-end-of-life-, confirm the device is EOL and will not receive patches from D-Link. Mitigation requires isolating affected devices from untrusted networks or decommissioning them entirely, as no firmware updates are available.

Details

CWE(s): CWE-798

Affected Products

dlink

dir-605l firmware

all versions

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: backdoor

MITRE ATT&CK Enterprise TechniquesAI

T1021 Remote Services Lateral Movement

Adversaries may use [Valid Accounts](https://attack.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hardcoded credentials enable direct authentication to the telnet remote service (T1021) using valid accounts (T1078) for initial root shell access on the device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-605l-b2-end-of-life-
Exploit, Third Party Advisory · 33c584b5-0579-4c06-b2a0-8d8329fcab9c
https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-605l-b2-end-of-life-
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0