CVE-2026-42375 Overview
CVE-2026-42375 is a hardcoded credentials vulnerability [CWE-798] in the D-Link DIR-600L Hardware Revision A1 router. The device boots a telnet daemon through /bin/telnetd.sh using the username Alphanetworks and the static password wrgn35_dlwbr_dir600l. The password is read from /etc/alpha_config/image_sign and embedded in the firmware image. An attacker on the adjacent network can authenticate to the telnet service and obtain a root shell with full administrative control. The DIR-600L A1 has reached End-of-Life and D-Link will not release a patch.
Critical Impact
Unauthenticated attackers on the local network gain root shell access on affected D-Link DIR-600L A1 routers via hardcoded telnet credentials, with no vendor patch available.
Affected Products
- D-Link DIR-600L Hardware Revision A1 (End-of-Life)
- D-Link DIR-600L Firmware (all versions)
- Devices exposing the telnet daemon started by /bin/telnetd.sh
Discovery Timeline
- 2026-05-04 - CVE-2026-42375 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42375
Vulnerability Analysis
The DIR-600L A1 ships with a hardcoded administrative account compiled into its custom telnet stack. At boot, the init script /bin/telnetd.sh launches a vendor-modified telnetd binary. The custom telnetd accepts a -u user:password flag, which the script populates with values sourced from /etc/alpha_config/image_sign. The username is Alphanetworks and the password is wrgn35_dlwbr_dir600l. The device's customized login binary then validates submitted credentials with strcmp() against this hardcoded pair. Successful authentication returns a root shell, granting complete control over the router, including configuration, traffic interception, and pivoting into the LAN.
Root Cause
The root cause is the use of hardcoded credentials [CWE-798] embedded in the firmware image. The credentials are static across all DIR-600L A1 devices, cannot be rotated by the user, and are not gated by any administrative toggle. Because the password resides in a predictable file path within the firmware, anyone with access to a firmware image can extract it and reuse it against every deployed device of this model.
Attack Vector
Exploitation requires network adjacency, typically meaning the attacker is connected to the same Wi-Fi network or LAN segment as the router. The attacker connects to TCP port 23 on the router's LAN interface, supplies the hardcoded username and password, and receives a root shell. No prior authentication, user interaction, or privilege is required. Refer to the Securin Zero-Day Analysis for additional technical detail on the backdoor activation path.
Detection Methods for CVE-2026-42375
Indicators of Compromise
- Inbound TCP connections to port 23 on the router's LAN interface, particularly successful logins as the Alphanetworks user
- Unexpected configuration changes on the DIR-600L A1, including DNS server modifications and firewall rule alterations
- New outbound traffic from the router to unknown infrastructure consistent with implant beaconing
Detection Strategies
- Inventory the network for D-Link DIR-600L A1 devices using SNMP, HTTP banner grabs, or asset management tooling
- Run authenticated network scans against the LAN to flag any host listening on TCP/23, then validate whether it is a DIR-600L
- Capture and inspect telnet session traffic for the username string Alphanetworks as a high-fidelity indicator
Monitoring Recommendations
- Enable NetFlow or equivalent flow telemetry on switches serving user VLANs and alert on telnet traffic destined for SOHO routers
- Forward router syslog and DHCP lease activity to a SIEM and correlate administrative logins with client connections
- Monitor for lateral movement originating from router IP addresses, which would indicate the device is being used as a pivot
How to Mitigate CVE-2026-42375
Immediate Actions Required
- Replace the DIR-600L A1 with a currently supported router model, since the device is End-of-Life and will not receive vendor patches
- If immediate replacement is not possible, isolate the device on a dedicated VLAN and restrict management access to a trusted host
- Block inbound TCP/23 at any upstream firewall and disable any port-forwarding rule that exposes the router's services
Patch Information
No patch is available. D-Link has designated the DIR-600L Hardware Revision A1 as End-of-Life. The vendor has stated it will not release fixes for this hardware revision. Decommissioning the device is the only durable remediation. See the Securin Zero-Day Analysis for vendor status notes.
Workarounds
- Restrict LAN access to the router by placing it behind a managed switch that filters traffic to TCP/23 on the router's IP
- Disable wireless access or apply strong WPA3 credentials and MAC filtering to limit who can reach the LAN segment
- Enforce egress filtering so a compromised router cannot establish outbound command-and-control sessions
# Example upstream firewall rule blocking telnet to the router LAN IP
# Replace 192.0.2.1 with the actual router LAN address
iptables -A FORWARD -p tcp --dport 23 -d 192.0.2.1 -j DROP
iptables -A INPUT -p tcp --dport 23 -d 192.0.2.1 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
