CVE-2026-42374 Overview
CVE-2026-42374 is a hardcoded credentials vulnerability [CWE-798] in the D-Link DIR-600L Hardware Revision B1 router. The device boots a telnet daemon through /bin/telnetd.sh using the username Alphanetworks and the static password wrgn61_dlwbr_dir600L, which is read from /etc/alpha_config/image_sign. An attacker on the adjacent network can authenticate to this telnet service and obtain a root shell with full administrative control. The DIR-600L B1 has reached End-of-Life (EOL) status, and D-Link will not issue patches for this device.
Critical Impact
Unauthenticated adjacent-network attackers gain root shell access on affected DIR-600L B1 routers, enabling complete device takeover, traffic interception, and pivoting into the local network.
Affected Products
- D-Link DIR-600L Router, Hardware Revision B1
- D-Link DIR-600L Firmware (all versions on B1 hardware)
- Status: End-of-Life (no patches forthcoming)
Discovery Timeline
- 2026-05-04 - CVE-2026-42374 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42374
Vulnerability Analysis
The DIR-600L B1 firmware ships with a custom telnet daemon and a custom login binary that together implement a fixed backdoor account. At system startup, /bin/telnetd.sh launches the modified telnetd binary, which accepts a non-standard -u user:password flag to register a static credential pair. The script supplies the username Alphanetworks and reads the password wrgn61_dlwbr_dir600L from the file /etc/alpha_config/image_sign.
The accompanying custom login binary validates submitted credentials using strcmp() against this hardcoded pair. There is no challenge-response mechanism, rate limiting, or per-device entropy. Any attacker who can reach the device on the local or adjacent network and submit the static credentials receives an interactive root shell.
Because the credential material is identical across every DIR-600L B1 unit, a single credential disclosure compromises the entire installed base. The vulnerability is reachable over the adjacent network attack vector with low complexity and no privileges or user interaction required.
Root Cause
The root cause is the deliberate inclusion of vendor-installed hardcoded credentials [CWE-798] inside the firmware image. The static password is stored on the filesystem at /etc/alpha_config/image_sign and consumed by an internal-only flag (-u) that the vendor added to its custom telnet daemon for diagnostic or manufacturing purposes.
Attack Vector
An attacker on the same Layer 2 segment, a guest Wi-Fi network bridged to the LAN, or any network path that reaches TCP port 23 on the router can connect to the telnet service. The attacker authenticates as Alphanetworks with the password wrgn61_dlwbr_dir600L. The session lands in a root shell, allowing arbitrary command execution, firmware modification, DNS rewriting, and persistent implant installation.
No verified public exploit code is published. The exploitation steps are documented in the Securin Zero-Day Analysis.
Detection Methods for CVE-2026-42374
Indicators of Compromise
- Inbound or outbound TCP connections to port 23 (telnet) on a DIR-600L B1 router from any host on the LAN.
- Authentication attempts using the username Alphanetworks observed in any captured telnet traffic or syslog forwarded from the device.
- Unexpected modification of router DNS, DHCP, or firewall settings on a DIR-600L B1.
- Outbound connections from the router itself to attacker infrastructure, indicating post-exploitation implant activity.
Detection Strategies
- Inspect network traffic for cleartext telnet sessions (port 23) sourced or destined to consumer router IP addresses, and alert on the literal string Alphanetworks in payload data.
- Run an authenticated network scan to enumerate listening services on home and branch routers; flag any device exposing telnet.
- Correlate router configuration changes with administrative login events from non-administrative hosts.
Monitoring Recommendations
- Capture NetFlow or IPFIX records at the LAN edge and alert on internal connections to TCP/23.
- Forward router syslog where supported and watch for telnet session establishment messages.
- Track DNS resolver changes on client hosts that could indicate router-level DNS hijacking.
How to Mitigate CVE-2026-42374
Immediate Actions Required
- Replace the DIR-600L B1 with a currently supported router. The device is End-of-Life and will not receive a fix.
- If immediate replacement is not possible, isolate the router on a segment with no sensitive assets and block lateral access to TCP port 23 at the upstream firewall.
- Audit the router configuration for unauthorized changes to DNS servers, port forwarding rules, and administrative accounts.
- Rotate any credentials that may have been transmitted through a compromised DIR-600L B1.
Patch Information
No patch is available. D-Link has classified the DIR-600L Hardware Revision B1 as End-of-Life, and the vendor has stated that no firmware updates will be released. Refer to the Securin Zero-Day Analysis for the current vendor position.
Workarounds
- Block inbound and intra-LAN traffic to TCP port 23 on the router using an upstream firewall or managed switch ACL.
- Disable any services on the router that are not strictly required, and confirm telnet is not exposed on the WAN interface.
- Place the router behind a network segmentation boundary so untrusted clients cannot reach it on Layer 2.
- Plan migration to a supported device as the only durable mitigation, since the hardcoded credentials cannot be removed without firmware modification.
# Example upstream firewall rule to block telnet to the affected router
# Replace 192.0.2.1 with the DIR-600L B1 LAN IP
iptables -I FORWARD -p tcp -d 192.0.2.1 --dport 23 -j DROP
iptables -I INPUT -p tcp -d 192.0.2.1 --dport 23 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
