Cyber Posture

CVE-2026-42374

CriticalPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 37.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u…

more

user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match
prevent

SA-22 mandates replacement or retirement of unsupported EOL devices like the DIR-600L B1, directly preventing exploitation of unpatchable hardcoded backdoors.

SC-7 Boundary Protection good match
prevent

SC-7 enforces boundary protection to block network access to the Telnet port (TCP/23), stopping local network attackers from reaching the backdoor service.

CM-7 Least Functionality partial match
prevent

CM-7 requires restricting unnecessary protocols like Telnet to least functionality, mitigating the hardcoded daemon if configurable or disableable at boot.

Security SummaryAI

CVE-2026-42374 is a hardcoded Telnet backdoor vulnerability (CWE-798) in the D-Link DIR-600L Hardware Revision B1 router, an end-of-life device. At boot, the router launches a Telnet daemon via /bin/telnetd.sh, configured with static credentials—username "Alphanetworks" and password "wrgn61_dlwbr_dir600L"—read from /etc/alpha_config/image_sign. The custom telnetd binary supports a -u user:password flag, while the login binary performs credential validation using strcmp().

An unauthenticated attacker on the local network can exploit this vulnerability by connecting to the Telnet service with the known hardcoded credentials, obtaining a root shell and full administrative control of the device. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) underscores its critical nature, requiring only network access and no privileges or user interaction.

Since the DIR-600L B1 is end-of-life, no patches or firmware updates will be provided. Advisories from sources like Securin.io document the backdoor details but emphasize the lack of vendor remediation, advising affected users to isolate or retire the devices.

Details

CWE(s)
CWE-798

Affected Products

dlink
dir-600l firmware
all versions

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: backdoor

MITRE ATT&CK Enterprise TechniquesAI

T1021 Remote Services Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
attack.mitre.org →
Why these techniques?

Hardcoded Telnet credentials directly enable remote root shell access via valid/default accounts on an exposed remote service (Telnet daemon at boot).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References