📄 Description (English)
D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn76_dlwbr_dir605L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
🤖 AI Executive Summary
D-Link DIR-605L (Hardware Revision B2) contains a critical hardcoded telnet backdoor with static credentials embedded in the firmware, allowing unauthenticated attackers on the local network to gain root shell access. The device is End-of-Life with no patches available, making this a permanent vulnerability. This affects legacy network infrastructure across Saudi organizations, particularly in banking, government, and healthcare sectors where older networking equipment may still be deployed.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 06:49
🇸🇦 Saudi Arabia Impact Assessment
Critical impact for Saudi organizations still operating legacy D-Link DIR-605L devices. Banking sector (SAMA-regulated institutions) faces severe risk if these devices are used in network perimeters or branch connectivity. Government agencies (NCA oversight) using this equipment for network infrastructure are at high risk of unauthorized access and data exfiltration. Healthcare organizations (MOH) may have these devices in older facility networks. Telecom operators (STC, Mobily) may have legacy equipment in remote sites. Energy sector (ARAMCO, SEC) legacy networks could be compromised. The local network requirement limits exposure but is critical for organizations with untrusted internal networks or compromised endpoints.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Facilities
Energy and Utilities
Telecommunications
Education
Retail and Commerce
🎯 MITRE ATT&CK Techniques
T1021.004 - Remote Services: SSH (telnet alternative)
T1078.001 - Valid Accounts: Default Accounts (hardcoded credentials)
T1078.003 - Valid Accounts: Local Accounts (root shell access)
T1021.005 - Remote Services: VNC (network access)
T1110.001 - Brute Force: Password Guessing (static credentials)
T1021 - Remote Services (telnet backdoor)
T1190 - Exploit Public-Facing Application (local network exposure)
T1199 - Trusted Relationship (internal network trust)
T1021.001 - Remote Services: Telnet (direct exploitation)
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Conduct urgent inventory of all D-Link DIR-605L devices across the organization, particularly Hardware Revision B2
2. Isolate affected devices from production networks immediately or implement strict network segmentation
3. Disable telnet access if possible through device configuration (though backdoor may persist)
4. Implement network-level controls: block telnet port 23 at firewall/ACL level, restrict device access to authorized management networks only
5. Monitor for unauthorized telnet connections to these devices using SIEM/IDS
Compensating Controls (No Patch Available):
6. Replace affected devices with current-generation D-Link or alternative vendor equipment with active security support
7. If replacement not immediately possible: implement strict network segmentation, place devices on isolated VLAN with no internet access
8. Deploy IDS/IPS rules to detect telnet connections to these devices and alert on suspicious authentication patterns
9. Implement network access control (NAC) to prevent unauthorized devices from connecting to management ports
10. Disable UPnP and other auto-discovery protocols on affected devices
11. Change any accessible configuration if device allows local password modification (though backdoor account may remain)
Detection Rules:
12. Monitor for telnet connections (port 23) to DIR-605L devices from unexpected sources
13. Alert on any successful telnet authentication to these devices
14. Track failed login attempts to telnet service
15. Monitor for SSH/HTTP access attempts if device supports these protocols
16. Implement network flow monitoring for devices communicating with DIR-605L on management ports
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. إجراء جرد عاجل لجميع أجهزة D-Link DIR-605L عبر المنظمة، خاصة مراجعة الأجهزة B2
2. عزل الأجهزة المتأثرة عن شبكات الإنتاج فوراً أو تطبيق تقسيم شبكة صارم
3. تعطيل وصول telnet إن أمكن من خلال تكوين الجهاز (على الرغم من أن الباب الخلفي قد يستمر)
4. تطبيق عناصر تحكم على مستوى الشبكة: حظر منفذ telnet 23 على مستوى جدار الحماية/ACL، تقييد وصول الجهاز بالشبكات الموثوقة فقط
5. مراقبة اتصالات telnet غير المصرح بها لهذه الأجهزة باستخدام SIEM/IDS
عناصر التحكم البديلة (لا توجد تصحيحات متاحة):
6. استبدال الأجهزة المتأثرة بمعدات D-Link من الجيل الحالي أو معدات بديلة من مورد آخر مع دعم أمان نشط
7. إذا لم يكن الاستبدال ممكناً على الفور: تطبيق تقسيم شبكة صارم، ضع الأجهزة على VLAN معزول بدون وصول إنترنت
8. نشر قواعد IDS/IPS للكشف عن اتصالات telnet لهذه الأجهزة والتنبيه على أنماط المصادقة المريبة
9. تطبيق التحكم في وصول الشبكة (NAC) لمنع الأجهزة غير المصرح بها من الاتصال بمنافذ الإدارة
10. تعطيل UPnP والبروتوكولات الأخرى للاكتشاف التلقائي على الأجهزة المتأثرة
11. تغيير أي تكوين يمكن الوصول إليه إذا سمح الجهاز بتعديل كلمة المرور المحلية (على الرغم من أن حساب الباب الخلفي قد يبقى)
قواعد الكشف:
12. مراقبة اتصالات telnet (المنفذ 23) لأجهزة DIR-605L من مصادر غير متوقعة
13. التنبيه على أي مصادقة telnet ناجحة لهذه الأجهزة
14. تتبع محاولات تسجيل الدخول الفاشلة لخدمة telnet
15. مراقبة محاولات وصول SSH/HTTP إذا كان الجهاز يدعم هذه البروتوكولات
16. تطبيق مراقبة تدفق الشبكة للأجهزة التي تتصل بـ DIR-605L على منافذ الإدارة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.8.1 - Asset Management and Inventory Control (legacy device tracking)
ECC 2024 A.8.2 - Secure Configuration Management (hardcoded credentials violate secure baseline)
ECC 2024 A.9.1 - Access Control (unauthorized telnet access)
ECC 2024 A.9.2 - User Authentication and Authorization (static credentials)
ECC 2024 A.13.1 - Network Security (telnet protocol and local network exposure)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (inventory of legacy devices)
SAMA CSF PR.AC-1 - Access Control Policy (hardcoded backdoor violates access control)
SAMA CSF PR.AC-2 - Physical and Logical Access Control (telnet backdoor)
SAMA CSF PR.AC-3 - Access Enforcement (static credentials)
SAMA CSF PR.PT-1 - Protective Technology (network segmentation required)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control (hardcoded credentials)
ISO 27001:2022 A.5.16 - Authentication (static password vulnerability)
ISO 27001:2022 A.5.18 - Cryptography (telnet unencrypted)
ISO 27001:2022 A.8.1 - Asset Management (EOL device management)
ISO 27001:2022 A.8.2 - Configuration Management (secure baseline violated)
🟣 PCI DSS v4.0.1
PCI DSS 1.1 - Firewall Configuration Standards (telnet access control)
PCI DSS 2.1 - Default Passwords (hardcoded credentials)
PCI DSS 2.2.4 - Configure System Security Parameters (EOL device)
PCI DSS 6.2 - Security Patches (no patches available for EOL device)
PCI DSS 8.1 - User Authentication (static credentials)
🔗 References & Sources 2
🔗
https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-...
33c584b5-0579-4c06-b2a0-8d8329fcab9c
Exploit
Third Party Advisory
🔗
https://www.securin.io/zero-day/cve-2026-42373-hardcoded-telnet-backdoor-in-d-link-dir-...
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
dlink:dir-605l_firmware