D-Link DIR-600L EOL Router Has Hardcoded Telnet Backdoor
The National Vulnerability Database (NVD) reports a critical hardcoded telnet backdoor, CVE-2026-42374, in D-Link DIR-600L Hardware Revision B1 routers. This vulnerability allows an unauthenticated attacker on the local network to gain a root shell with full administrative control. The device starts a telnet daemon at boot using /bin/telnetd.sh, configured with the static username “Alphanetworks” and password “wrgn61_dlwbr_dir600L” found in /etc/alpha_config/image_sign.
This is a severe issue, rated 9.8 (CRITICAL) on the CVSS scale. The custom telnetd binary accepts a -u user:password flag, and the login process validates credentials via strcmp(), making the hardcoded backdoor easily exploitable. Since the D-Link DIR-600L has reached End-of-Life (EOL), D-Link will not issue any patches, leaving deployed devices permanently vulnerable.
For defenders, this means any D-Link DIR-600L B1 devices still operating on networks are ticking time bombs. Attackers gaining a foothold on the local network can immediately pivot to full control of these routers, turning them into launchpads for further internal compromise, traffic sniffing, or denial-of-service attacks. The attacker’s calculus is simple: if it’s there, it’s owned.
What This Means For You
- If your organization or any connected remote offices still use D-Link DIR-600L Hardware Revision B1 routers, they are exposed to unauthenticated root access via CVE-2026-42374. There will be no patch. You MUST identify and replace these devices immediately. Isolate them from your network until they can be decommissioned.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42374 D-Link DIR-600L Hardcoded Telnet Backdoor Login Attempt
title: CVE-2026-42374 D-Link DIR-600L Hardcoded Telnet Backdoor Login Attempt
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects attempts to log in to a D-Link DIR-600L router using the hardcoded 'Alphanetworks' username and 'wrgn61_dlwbr_dir600L' password via the telnet daemon. This is a direct indicator of exploitation of CVE-2026-42374.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42374/
tags:
- attack.credential_access
- attack.t1110.001
logsource:
category: authentication
detection:
selection:
User|exact:
- 'Alphanetworks'
CommandLine|contains:
- '-u Alphanetworks:wrgn61_dlwbr_dir600L'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42374 | Auth Bypass | D-Link DIR-600L Hardware Revision B1 |
| CVE-2026-42374 | Auth Bypass | Hardcoded credentials: username 'Alphanetworks', password 'wrgn61_dlwbr_dir600L' |
| CVE-2026-42374 | Auth Bypass | Vulnerable component: /bin/telnetd.sh |
| CVE-2026-42374 | Auth Bypass | Credential source: /etc/alpha_config/image_sign |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...