D-Link DIR-605L EOL Router Hit by Critical Telnet Backdoor
The National Vulnerability Database has disclosed CVE-2026-42373, a critical vulnerability impacting the D-Link DIR-605L Hardware Revision B2 router. This device, having reached End-of-Life (EOL), contains a hardcoded telnet backdoor. The vulnerability stems from the router’s boot process, which initiates a telnet daemon via /bin/telnetd.sh.
Attackers can exploit this by using the static username “Alphanetworks” and password “wrgn76_dlwbr_dir605L”, read directly from /etc/alpha_config/image_sign. The custom telnetd binary accepts these credentials, and the login binary validates them using strcmp(). Successful authentication grants an unauthenticated attacker on the local network a root shell, providing complete administrative control over the device. With a CVSS score of 9.8, this is a severe access vector.
Given that the D-Link DIR-605L is EOL, it will not receive any patches for this flaw. This means any active devices are permanently exposed. Attackers can leverage this to establish persistent footholds within local networks, pivoting to other internal systems. This isn’t just about router control; it’s about a gateway into the entire network segment.
What This Means For You
- If your organization or any connected users still operate a D-Link DIR-605L Hardware Revision B2 router, you must immediately remove it from your network. This device is a ticking time bomb, offering a free root shell to anyone on the local network. Replace it with a supported, patched alternative. Do not rely on network segmentation alone; this is a direct root compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42373 - D-Link DIR-605L Telnet Backdoor Login
title: CVE-2026-42373 - D-Link DIR-605L Telnet Backdoor Login
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects the specific hardcoded username 'Alphanetworks' used in the Telnet backdoor on D-Link DIR-605L routers, indicating exploitation of CVE-2026-42373.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42373/
tags:
- attack.persistence
- attack.t1078.004
logsource:
category: authentication
detection:
selection:
User|exact:
- 'Alphanetworks'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42373 | Auth Bypass | D-Link DIR-605L Hardware Revision B2 |
| CVE-2026-42373 | Auth Bypass | Hardcoded credentials: username 'Alphanetworks', password 'wrgn76_dlwbr_dir605L' |
| CVE-2026-42373 | Auth Bypass | Vulnerable component: /bin/telnetd.sh |
| CVE-2026-42373 | Auth Bypass | Vulnerable file: /etc/alpha_config/image_sign |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...