CVE-2026-42376: D-Link DIR-456U EOL Router Exposes Critical Backdoor
The National Vulnerability Database has identified a critical hardcoded telnet backdoor in D-Link DIR-456U Hardware Revision A1 routers. This vulnerability, tracked as CVE-2026-42376, allows an unauthenticated attacker on the local network to gain root-level administrative control. The device initiates a telnet daemon at boot with hardcoded credentials (‘Alphanetworks’/’whdrv01_dlob_dir456U’) found in /etc/config/image_sign, enabling immediate exploitation.
Crucially, this device has reached its End-of-Life (EOL) status, meaning no patches will be released. The CVSS score of 9.8 highlights the severity, making it a prime target for attackers seeking easy access into networks via legacy devices. Defenders must assume these devices, if still in use, are compromised or will be.
The primary defense strategy here is device retirement and replacement. Organizations still operating EOL D-Link DIR-456U routers must immediately identify and decommission them. Network segmentation and vigilant monitoring for unauthorized telnet access are also critical, though the inherent nature of this backdoor makes detection post-exploitation challenging.
What This Means For You
- If your organization has legacy network devices, especially routers, deployed, you need to immediately inventory all hardware. Prioritize identifying and decommissioning any D-Link DIR-456U Hardware Revision A1 devices. Given this is an EOL product with a critical, hardcoded backdoor, assume any such device still in operation is a compromised entry point into your network.
Related ATT&CK Techniques
🛡️ Detection Rules
4 rules · 6 SIEM formats4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42376: D-Link DIR-456U Hardcoded Telnet Backdoor Credentials
title: CVE-2026-42376: D-Link DIR-456U Hardcoded Telnet Backdoor Credentials
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects the use of the hardcoded 'Alphanetworks' username associated with the D-Link DIR-456U backdoor. This is a direct indicator of exploitation of CVE-2026-42376, allowing an attacker to gain unauthorized access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42376/
tags:
- attack.credential_access
- attack.t1110.001
logsource:
category: authentication
detection:
selection:
User|contains:
- 'Alphanetworks'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42376 | Auth Bypass | D-Link DIR-456U Hardware Revision A1 |
| CVE-2026-42376 | Auth Bypass | Hardcoded telnet backdoor username: Alphanetworks |
| CVE-2026-42376 | Auth Bypass | Hardcoded telnet backdoor password: whdrv01_dlob_dir456U |
| CVE-2026-42376 | Auth Bypass | Vulnerable component: /etc/init0.d/S80telnetd.sh |
| CVE-2026-42376 | Auth Bypass | Vulnerable component: custom login binary using strcmp() for credential validation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 04, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability
CVE-2026-42154 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not...
Prometheus Azure AD OAuth Secret Exposed via Plaintext Config
CVE-2026-42151 — Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the client_secret field in the Azure AD...
CVE-2026-25863: WordPress Plugin DoS Vulnerability Hits Contact Form 7
CVE-2026-25863 — Conditional Fields for Contact Form 7 WordPress plugin through version 2.6.7 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the...