CVE-2021-40655 Overview
CVE-2021-40655 is an information disclosure vulnerability affecting D-Link DIR-605 B2 wireless routers running firmware version 2.01MT. This vulnerability allows remote attackers to obtain sensitive credentials, including usernames and passwords, by sending a specially crafted POST request to the /getcfg.php endpoint on the device. The vulnerability requires no authentication, making it particularly dangerous for exposed devices.
Critical Impact
This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Attackers can remotely extract administrator credentials without authentication, potentially leading to complete device compromise.
Affected Products
- D-Link DIR-605L Firmware version 2.01MT
- D-Link DIR-605L Hardware revision B2
- D-Link DIR-605 B2 series routers
Discovery Timeline
- 2021-09-24 - CVE-2021-40655 published to NVD
- 2025-11-10 - Last updated in NVD database
Technical Details for CVE-2021-40655
Vulnerability Analysis
This vulnerability falls under CWE-863 (Incorrect Authorization), where the /getcfg.php script fails to properly verify that incoming requests are authorized before returning sensitive configuration data. The affected endpoint is designed to retrieve device configuration information but lacks proper access controls, allowing any network-accessible attacker to extract credentials.
The vulnerability is particularly severe because it can be exploited remotely over the network without requiring any prior authentication or user interaction. An attacker simply needs to craft a POST request to the vulnerable endpoint to retrieve the router's administrative credentials. Once obtained, these credentials provide full administrative access to the device.
Root Cause
The root cause of CVE-2021-40655 lies in improper authorization checks within the getcfg.php page on affected D-Link DIR-605 devices. The script processes configuration retrieval requests without validating whether the requester has appropriate permissions or is authenticated. This represents a fundamental access control failure in the router's web management interface.
Attack Vector
The attack vector for this vulnerability is network-based, requiring the attacker to have network access to the router's web interface. The exploitation process involves:
- Identifying a vulnerable D-Link DIR-605 B2 router on the network
- Sending a forged POST request to the /getcfg.php endpoint
- Parsing the response to extract plaintext username and password credentials
- Using the obtained credentials to gain full administrative access to the router
The vulnerability can be exploited from the local network, or remotely if the router's web management interface is exposed to the internet. No special privileges or user interaction are required for exploitation.
Technical details and proof-of-concept information are available in the GitHub PoC Repository.
Detection Methods for CVE-2021-40655
Indicators of Compromise
- Unusual HTTP POST requests targeting /getcfg.php on D-Link router interfaces
- Multiple rapid requests to configuration retrieval endpoints from external IP addresses
- Unexpected login events to the router administrative interface following credential extraction
- Network traffic anomalies indicating unauthorized access to router management pages
Detection Strategies
- Monitor web server logs on D-Link devices for POST requests to /getcfg.php from unexpected sources
- Deploy network intrusion detection signatures to identify exploitation attempts against this endpoint
- Implement alerting for any external network access to router management interfaces
- Review firewall logs for incoming connections to router administrative ports from untrusted networks
Monitoring Recommendations
- Enable logging on the router if supported and regularly review for suspicious access patterns
- Use network monitoring tools to detect unauthorized access attempts to the router's web interface
- Implement network segmentation to isolate management interfaces from untrusted network segments
- Consider deploying a web application firewall in front of exposed management interfaces
How to Mitigate CVE-2021-40655
Immediate Actions Required
- Restrict access to the router's web management interface to trusted internal networks only
- Disable remote management features if not required for operations
- Place affected devices behind a firewall that blocks external access to management ports
- Consider replacing end-of-life devices with supported alternatives that receive security updates
Patch Information
D-Link has been notified of this vulnerability. Users should consult the D-Link Security Bulletin for the latest patch availability and firmware updates. Given that the DIR-605 is an older device model, it may have reached end-of-life status, and users are encouraged to verify whether security updates are still being provided.
This vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, indicating it is actively being exploited in the wild. Immediate mitigation is strongly recommended.
Workarounds
- Disable the web management interface entirely if not needed for device administration
- Use firewall rules to restrict access to the router's management interface to specific trusted IP addresses
- Implement network access control lists (ACLs) to limit who can reach the vulnerable endpoint
- Monitor and audit all access to the device pending replacement or firmware update
# Example firewall rule to restrict management interface access (iptables)
# Allow only trusted admin workstation to access router management
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
