Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-46176

CVE-2025-46176: D-Link DIR-605L Firmware RCE Vulnerability

CVE-2025-46176 is a remote code execution vulnerability in D-Link DIR-605L and DIR-816L firmware caused by hardcoded credentials in the Telnet service. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-46176 Overview

CVE-2025-46176 is a hardcoded credentials vulnerability affecting D-Link DIR-605L and DIR-816L consumer routers. The Telnet service in DIR-605L firmware v2.13B01 and DIR-816L firmware v2.06B01 contains embedded credentials that attackers can recover through firmware analysis. Once extracted, these credentials permit remote authentication to the Telnet interface and execution of arbitrary shell commands. The vulnerability is classified under [CWE-77] (Command Injection) and requires network reachability to the router's Telnet port.

Critical Impact

Attackers with network access to the Telnet service can authenticate using firmware-embedded credentials and execute arbitrary commands on affected D-Link routers.

Affected Products

  • D-Link DIR-605L firmware v2.13B01
  • D-Link DIR-816L firmware v2.06B01
  • D-Link DIR-605L and DIR-816L hardware devices running the affected firmware

Discovery Timeline

  • 2025-05-23 - CVE-2025-46176 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-46176

Vulnerability Analysis

The vulnerability resides in the Telnet daemon shipped with the affected D-Link firmware images. The firmware binary contains statically embedded username and password values used to authenticate Telnet sessions. Any party with access to a firmware image can extract the filesystem, locate the Telnet initialization routines, and recover the credentials in plaintext. Because the credentials are identical across every device running the same firmware version, a single successful extraction compromises the entire installed base.

Once authenticated, the Telnet session provides shell-level access to the router's underlying operating system. Attackers can issue arbitrary commands, modify configuration, pivot into the internal network, or install persistent implants. The issue is tracked as [CWE-77] because the resulting shell allows unrestricted command execution.

Root Cause

The root cause is the inclusion of static, non-removable credentials in the Telnet service binary. The firmware does not derive credentials from device-unique material such as MAC address, serial number, or a first-boot provisioning step. Firmware extraction tools such as binwalk reveal the SquashFS root filesystem, after which reverse engineering of the Telnet binary exposes the embedded strings.

Attack Vector

Exploitation requires network reachability to the Telnet service, typically on TCP port 23. On networks where the router exposes Telnet to the WAN interface, the attack is remote and unauthenticated in practice, since the credentials are public knowledge after firmware analysis. On LAN-only deployments, any device on the internal network can reach the service. Refer to the GitHub PoC Repository for technical reproduction details.

No verified exploit code is reproduced here. See the linked PoC repository
for firmware extraction steps and credential recovery methodology.

Detection Methods for CVE-2025-46176

Indicators of Compromise

  • Unexpected inbound TCP connections to port 23 on DIR-605L or DIR-816L devices
  • Successful Telnet authentication events originating from unfamiliar source IP addresses
  • New or modified processes, cron jobs, or startup scripts on the router filesystem
  • Outbound connections from the router to unknown command-and-control endpoints

Detection Strategies

  • Inventory affected firmware versions using SNMP, HTTP banner grabbing, or configuration management data
  • Perform internal port scans to identify devices exposing TCP/23 and correlate with router asset lists
  • Capture and inspect Telnet traffic at network chokepoints for authentication attempts against router IP addresses
  • Compare running router configuration against a known-good baseline to identify unauthorized changes

Monitoring Recommendations

  • Forward router syslog and authentication logs to a centralized log platform for anomaly review
  • Alert on any Telnet session establishment involving consumer router management IPs
  • Monitor DNS and NetFlow data for unusual traffic patterns sourced from router interfaces
  • Track firmware version drift across the router fleet to identify unpatched devices

How to Mitigate CVE-2025-46176

Immediate Actions Required

  • Disable the Telnet service on affected D-Link DIR-605L and DIR-816L devices through the administrative interface
  • Block inbound TCP/23 at upstream firewalls and confirm the service is not exposed to the WAN
  • Restrict LAN-side management access to a dedicated administrative VLAN or trusted host list
  • Rotate any shared secrets, Wi-Fi keys, or credentials that traversed a potentially compromised router

Patch Information

Consult the D-Link Security Bulletin for the current patch and end-of-life status of the DIR-605L and DIR-816L product lines. Both models are legacy consumer routers, and D-Link may issue only limited updates or recommend hardware replacement. Apply any available firmware updates through the vendor's official channels and verify the update using published checksums.

Workarounds

  • Replace affected devices with actively supported hardware if no firmware fix is available
  • Segment the router onto an isolated management network with no direct user or internet access to TCP/23
  • Deploy an inline firewall rule that drops all Telnet traffic destined for router management interfaces
  • Enforce SSH-only administration where the platform supports it and disable all cleartext management protocols
bash
# Example upstream firewall rule to block Telnet to router management IP
iptables -A FORWARD -p tcp --dport 23 -d <router_ip> -j DROP
iptables -A INPUT   -p tcp --dport 23 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.