CVE-2026-42373 Overview
CVE-2026-42373 is a hardcoded credentials vulnerability [CWE-798] in the D-Link DIR-605L Hardware Revision B2 router. The device boots a telnet daemon through /bin/telnetd.sh using the username Alphanetworks and the static password wrgn76_dlwbr_dir605L sourced from /etc/alpha_config/image_sign. An attacker with adjacent network access can authenticate to the telnet service and obtain a root shell. The DIR-605L B2 has reached End-of-Life (EOL), and D-Link will not issue a firmware patch. The flaw affects both the DIR-605L hardware and its firmware images.
Critical Impact
Unauthenticated attackers on the local network gain a root shell with full administrative control over the router, enabling traffic interception, persistence, and lateral movement.
Affected Products
- D-Link DIR-605L Hardware Revision B2 (End-of-Life)
- D-Link DIR-605L Firmware (all versions for B2 hardware)
- CPE: cpe:2.3:h:dlink:dir-605l:b2
Discovery Timeline
- 2026-05-04 - CVE-2026-42373 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42373
Vulnerability Analysis
The DIR-605L B2 ships with a vendor backdoor account baked into the firmware image. At boot, the init script /bin/telnetd.sh launches a custom telnetd binary that accepts the non-standard -u user:password flag to register fixed credentials. The daemon hands authentication off to a custom login binary that compares submitted credentials with strcmp() against the values pulled from /etc/alpha_config/image_sign. The username Alphanetworks and password wrgn76_dlwbr_dir605L are static across all units of the affected hardware revision. This vulnerability falls under hardcoded credentials [CWE-798] and yields a root shell on successful telnet authentication.
Root Cause
The firmware embeds a manufacturer service account in cleartext on the filesystem and exposes it through telnet by default. There is no provisioning step to rotate or disable the credential, and the validation routine performs a direct string comparison without rate limiting, lockout, or audit logging. Because the password ships inside the firmware image, every DIR-605L B2 device worldwide shares the same secret.
Attack Vector
Exploitation requires network adjacency to the router, typically the LAN or Wi-Fi segment the device serves. An attacker connects to TCP port 23, supplies the username Alphanetworks and password wrgn76_dlwbr_dir605L, and receives a root shell. From that shell the attacker can modify DNS settings, install persistent implants, capture traffic, pivot to internal hosts, or enroll the device into a botnet. No user interaction or prior authentication to the web UI is required. Refer to the Securin Zero-Day Analysis for additional details on the binary behavior.
Detection Methods for CVE-2026-42373
Indicators of Compromise
- Inbound or internal TCP connections to port 23 on the DIR-605L router
- Authentication attempts using the username Alphanetworks
- Presence of the file /etc/alpha_config/image_sign containing the static credential string
- Unexpected DNS, firewall, or routing configuration changes on the router
Detection Strategies
- Inspect network flows for telnet (port 23) sessions originating from LAN clients to the router management interface
- Capture and analyze telnet handshakes for the literal string Alphanetworks in USER negotiation
- Audit router configuration drift, particularly DNS server, admin password, and port forwarding rules
Monitoring Recommendations
- Enable NetFlow or packet capture at the gateway to flag any telnet traffic, which should not exist on a modern network
- Alert on new or unknown MAC addresses on management VLANs that could indicate attacker pivoting
- Track device firmware version and EOL status in asset inventory to prioritize replacement
How to Mitigate CVE-2026-42373
Immediate Actions Required
- Replace the DIR-605L B2 with a supported router model, as no patch will be released
- Block TCP port 23 inbound on the WAN interface and segregate the router management plane from untrusted Wi-Fi
- Disconnect the affected device from networks handling sensitive data until replacement
Patch Information
D-Link has declared the DIR-605L Hardware Revision B2 End-of-Life. No firmware update will be issued for CVE-2026-42373. The vendor recommendation is hardware replacement. See the Securin Zero-Day Analysis for the full advisory record.
Workarounds
- Place the router behind an upstream firewall that drops all inbound traffic to TCP port 23
- Restrict LAN access to the router management subnet using VLANs and ACLs so that only trusted hosts can reach the device
- Disable Wi-Fi or apply WPA2/WPA3 with strong keys to limit who can reach the adjacent network
- Monitor the device closely and decommission it as soon as a supported replacement is available
# Example upstream firewall rule to block telnet to the EOL router
# Replace 192.0.2.10 with the DIR-605L LAN IP
iptables -I FORWARD -p tcp -d 192.0.2.10 --dport 23 -j DROP
iptables -I INPUT -p tcp --dport 23 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
