D-Link DIR-600L EOL Router Exposes Critical Telnet Backdoor
The National Vulnerability Database has identified a critical hardcoded Telnet backdoor in D-Link DIR-600L routers, specifically hardware revision A1. This vulnerability, cataloged as CVE-2026-42375, allows unauthenticated attackers on the local network to gain root-level administrative control. The device initiates a Telnet daemon at boot with a static username (‘Alphanetworks’) and password (‘wrgn35_dlwbr_dir600l’), enabling easy exploitation.
Given that this device is End-of-Life (EOL), D-Link will not provide any patches. This leaves users with a severely compromised device that poses a significant risk to their network security. The high CVSS score of 9.8 underscores the severity of this flaw, making it a prime target for attackers seeking to establish a foothold in a network.
Defenders should immediately identify and isolate any D-Link DIR-600L A1 devices within their environments. Given the EOL status, decommissioning these devices and replacing them with supported hardware is the only secure long-term solution. Network segmentation can help limit the blast radius if such a device is discovered.
What This Means For You
- If your organization has legacy D-Link DIR-600L A1 routers deployed, you must identify and remove them from your network immediately. These devices are unpatchable and provide a direct, authenticated root shell to any attacker on the local network.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42375 D-Link DIR-600L Telnet Daemon Startup
title: CVE-2026-42375 D-Link DIR-600L Telnet Daemon Startup
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects the startup of the hardcoded telnet daemon on D-Link DIR-600L routers (CVE-2026-42375). The script /bin/telnetd.sh is executed with specific hardcoded credentials, allowing unauthenticated access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42375/
tags:
- attack.persistence
- attack.t1078.004
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '/bin/telnetd.sh'
selection_base:
CommandLine|contains:
- '-u Alphanetworks:wrgn35_dlwbr_dir600l'
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42375 | Auth Bypass | D-Link DIR-600L Hardware Revision A1 |
| CVE-2026-42375 | Auth Bypass | Hardcoded credentials: username 'Alphanetworks', password 'wrgn35_dlwbr_dir600l' |
| CVE-2026-42375 | Auth Bypass | Vulnerable component: /bin/telnetd.sh |
| CVE-2026-42375 | Auth Bypass | Vulnerable component: custom telnetd binary accepting -u user:password flag |
| CVE-2026-42375 | Auth Bypass | Vulnerable component: custom login binary using strcmp() for credential validation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...