Cyber Posture

CVE-2026-42375

CriticalPublic PoC

Published: 04 May 2026

Published
04 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 31.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u…

more

user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match
prevent

Prohibits the use of end-of-life devices like the D-Link DIR-600L that contain unpatchable hardcoded backdoor credentials, preventing deployment or continued operation of vulnerable hardware.

SI-2 Flaw Remediation good match
preventrecover

Requires identification, prioritization, and remediation of the hardcoded telnet backdoor flaw (CVE-2026-42375) through replacement or retirement since no patches are available for the EOL device.

SC-7 Boundary Protection good match
preventdetect

Monitors and controls communications at system boundaries to block local network access to the exposed telnet port (23), preventing exploitation of the hardcoded credentials backdoor.

Security SummaryAI

CVE-2026-42375 is a hardcoded credentials backdoor vulnerability (CWE-798) in the D-Link DIR-600L Hardware Revision A1 router, an end-of-life device. At boot, the firmware launches a telnet daemon via /bin/telnetd.sh, configuring it with the static username "Alphanetworks" and password "wrgn35_dlwbr_dir600l" sourced from /etc/alpha_config/image_sign. A custom telnetd binary accepts a -u user:password flag, while the custom login binary performs credential validation using strcmp(), enabling insecure remote access. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker on the local network can exploit this vulnerability by connecting to the telnet service with the known hardcoded credentials. Successful authentication provides a root shell, granting full administrative control over the device, including potential for arbitrary code execution, configuration changes, or persistence mechanisms.

Advisories, including those from Securin.io, confirm the device has reached end-of-life status and will not receive patches or vendor support. No mitigations are available beyond device replacement or network isolation to prevent local network access to the telnet port.

Details

CWE(s)
CWE-798

Affected Products

dlink
dir-600l firmware
all versions

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: backdoor

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
attack.mitre.org →
Why these techniques?

Hardcoded credentials in the Telnet daemon directly enable use of a backdoor/default account (T1078.001) for unauthenticated remote access via an external service (T1133), granting root shell on the network-accessible router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References