CVE-2026-42372 Overview
CVE-2026-42372 is a hardcoded credentials vulnerability [CWE-798] in the D-Link DIR-605L Hardware Revision A1 router. The device ships with a telnet backdoor that starts at boot via /bin/telnetd.sh. The static username Alphanetworks and password wrgn35_dlwbr_dir605l are read from /etc/alpha_config/image_sign. An unauthenticated attacker on the local network can authenticate to the telnet daemon and obtain a root shell. The DIR-605L A1 has reached End-of-Life (EOL) status and will not receive security patches from D-Link.
Critical Impact
Adjacent-network attackers gain unauthenticated root shell access to the router, enabling full administrative control, traffic interception, and persistent footholds inside the LAN.
Affected Products
- D-Link DIR-605L Hardware Revision A1 (End-of-Life)
- D-Link DIR-605L firmware (all versions on Hardware Revision A1)
- Devices exposing the embedded telnetd service on the local network
Discovery Timeline
- 2026-05-04 - CVE-2026-42372 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42372
Vulnerability Analysis
The DIR-605L A1 firmware contains a custom telnetd binary and a custom login binary that together implement a static authentication backdoor. At boot, the script /bin/telnetd.sh launches the telnet daemon and passes a credential pair through the non-standard -u user:password flag. The credentials are loaded from the file /etc/alpha_config/image_sign, which contains the fixed username Alphanetworks and password wrgn35_dlwbr_dir605l. The custom login binary validates incoming credentials with strcmp() against these hardcoded values. Successful authentication drops the attacker into a root shell with no further checks. Because the credentials are baked into firmware shared across all DIR-605L A1 units, the same password works on every affected device worldwide. The telnetd service listens on the LAN interface, so any attacker with adjacent-network access — including a guest Wi-Fi client or a compromised device on the same broadcast domain — can reach it.
Root Cause
The root cause is the use of hardcoded credentials [CWE-798] embedded in firmware. The vendor included a debug or manufacturing telnet service in production builds and validated authentication against static strings rather than per-device or user-managed secrets.
Attack Vector
Exploitation requires only network reachability to the router's telnet port on the LAN segment. The attacker connects to the telnet service, supplies the static username and password, and receives an interactive root shell. No prior authentication, user interaction, or privilege is needed. See the Securin Zero-Day Analysis CVE-2026-42372 for additional technical context.
Detection Methods for CVE-2026-42372
Indicators of Compromise
- Inbound TCP connections to port 23 (telnet) on the router's LAN interface, especially from non-administrative hosts.
- Successful telnet logins using the username Alphanetworks.
- Unexpected outbound traffic from the router itself, indicating post-exploitation tooling or tunnels.
- DNS configuration changes on the router that redirect client queries to attacker-controlled resolvers.
Detection Strategies
- Scan the internal network for devices exposing TCP/23 and fingerprint the banner for D-Link DIR-605L firmware strings.
- Inspect router configuration backups for the file /etc/alpha_config/image_sign containing Alphanetworks:wrgn35_dlwbr_dir605l.
- Monitor LAN traffic for telnet authentication patterns matching the static credential string.
Monitoring Recommendations
- Alert on any telnet session originating from client subnets toward gateway or router IP addresses.
- Track DHCP, DNS, and routing changes on perimeter SOHO devices using NetFlow or syslog forwarding.
- Treat any DIR-605L A1 still in production as a high-risk asset and continuously monitor its management plane.
How to Mitigate CVE-2026-42372
Immediate Actions Required
- Replace the DIR-605L A1 with a supported router model that receives security updates.
- If replacement is not immediate, isolate the device on a dedicated VLAN and block lateral access from untrusted clients.
- Disable or firewall TCP port 23 on the router's LAN interface where the device firmware permits.
- Audit the router for unauthorized configuration changes, custom firmware, or added accounts before retiring it.
Patch Information
No patch is available. D-Link has designated the DIR-605L Hardware Revision A1 as End-of-Life, and the vendor has stated it will not issue security updates for this model. Refer to the Securin Zero-Day Analysis CVE-2026-42372 for vendor status.
Workarounds
- Place the router behind a firewall that restricts inbound LAN-side telnet to a single administrative host.
- Disable Wi-Fi guest networks and enforce WPA2/WPA3 with strong pre-shared keys to limit adjacent-network access.
- Segment IoT and untrusted clients away from the router management VLAN.
- Plan a hardware refresh cycle for all EOL networking equipment to remove unpatched backdoors from the environment.
# Configuration example: block telnet at an upstream firewall (iptables)
iptables -A FORWARD -p tcp --dport 23 -d <router_lan_ip> -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
