Vulnerabilities ›

CVE-2026-42374

Critical ⚡ Exploit Available

CWE-798 — Weakness Type

                    Published: May 4, 2026                      ·  Modified: May 11, 2026                      ·  Source: NVD                

CVSS v3

9.8

🔗 NVD Official

📄 Description (English)

D-Link DIR-600L Hardware Revision B1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn61_dlwbr_dir600L" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

🤖 AI Executive Summary

D-Link DIR-600L (End-of-Life) routers contain a hardcoded telnet backdoor with static credentials, allowing unauthenticated local network attackers to gain root shell access. With CVSS 9.8 and active exploits available, this poses critical risk to Saudi organizations using legacy networking equipment. No patches will be released due to EOL status, requiring immediate device replacement or network isolation.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 8, 2026 06:48

🇸🇦 Saudi Arabia Impact Assessment

Critical impact on Saudi telecommunications sector (STC, Mobily, Zain), government agencies using legacy network infrastructure, and small-to-medium enterprises relying on budget networking equipment. Banking sector (SAMA-regulated institutions) at risk if DIR-600L used in branch networks or as edge devices. Healthcare facilities and energy sector (ARAMCO subsidiaries) vulnerable if legacy equipment remains in operational networks. SMEs and government agencies in remote regions likely to have higher prevalence of EOL equipment.

🏢 Affected Saudi Sectors

Telecommunications (STC, Mobily, Zain) Government and Public Administration Banking and Financial Services (SAMA-regulated) Healthcare Energy and Utilities (ARAMCO) Small and Medium Enterprises Education Retail

🎯 MITRE ATT&CK Techniques

T1021.004 - Remote Services: SSH T1021.005 - Remote Services: VNC T1078.001 - Valid Accounts: Default Accounts T1078.002 - Valid Accounts: Domain Accounts T1110.001 - Brute Force: Password Guessing T1556 - Modify Authentication Process T1199 - Trusted Relationship T1570 - Lateral Tool Transfer T1021 - Remote Services

⚖️ Saudi Risk Score (AI)

9.6

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Conduct urgent inventory of all D-Link DIR-600L devices across network infrastructure

2. Isolate affected devices from production networks immediately or power down if not critical

3. If device must remain operational, implement strict network segmentation and disable telnet access via firewall rules

4. Block telnet port 23 at network perimeter and internal firewalls

5. Monitor for unauthorized telnet connections (port 23) and SSH tunneling attempts

PATCHING GUIDANCE:

- No patches available; device is EOL

- Mandatory replacement with supported D-Link models or alternative vendors

- Establish replacement timeline within 30 days for critical infrastructure

COMPENSATING CONTROLS:

1. Implement network access control (NAC) to prevent unauthorized device connections

2. Deploy IDS/IPS rules to detect telnet connections with hardcoded credentials

3. Restrict device to isolated VLAN with no internet access

4. Disable all remote management protocols (telnet, HTTP, SSH) at device level if possible

5. Implement 24/7 network monitoring for suspicious telnet activity

6. Deploy honeypot telnet service to detect exploitation attempts

DETECTION RULES:

- Alert on any telnet connections to port 23 from internal networks

- Monitor for authentication attempts with username 'Alphanetworks'

- Flag any successful telnet sessions from non-administrative IP ranges

- Detect /bin/telnetd.sh process execution at device boot

- Monitor for outbound connections from DIR-600L to external C2 infrastructure

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. إجراء جرد عاجل لجميع أجهزة D-Link DIR-600L عبر البنية التحتية للشبكة

2. عزل الأجهزة المتأثرة عن شبكات الإنتاج فوراً أو إيقاف تشغيلها إذا لم تكن حرجة

3. إذا كان يجب أن يبقى الجهاز قيد التشغيل، قم بتنفيذ تقسيم شبكة صارم وتعطيل وصول telnet عبر قواعد جدار الحماية

4. حظر منفذ telnet 23 على محيط الشبكة وجدران الحماية الداخلية

5. مراقبة اتصالات telnet غير المصرح بها ومحاولات نفق SSH



إرشادات التصحيح:

- لا توجد تصحيحات متاحة؛ الجهاز انتهت فترة دعمه

- استبدال إلزامي بنماذج D-Link مدعومة أو بدائل أخرى

- وضع جدول زمني للاستبدال خلال 30 يوماً للبنية التحتية الحرجة



الضوابط البديلة:

1. تنفيذ التحكم في الوصول إلى الشبكة (NAC) لمنع اتصالات الأجهزة غير المصرح بها

2. نشر قواعد IDS/IPS للكشف عن اتصالات telnet ببيانات اعتماد مشفرة

3. تقييد الجهاز إلى VLAN معزول بدون وصول إلى الإنترنت

4. تعطيل جميع بروتوكولات الإدارة البعيدة (telnet و HTTP و SSH) على مستوى الجهاز إن أمكن

5. تنفيذ مراقبة شبكة 24/7 للنشاط المريب

6. نشر خدمة telnet عسل لاكتشاف محاولات الاستغلال



قواعد الكشف:

- تنبيه على أي اتصالات telnet بالمنفذ 23 من الشبكات الداخلية

- مراقبة محاولات المصادقة باسم المستخدم 'Alphanetworks'

- وضع علم على أي جلسات telnet ناجحة من نطاقات IP غير إدارية

- الكشف عن تنفيذ عملية /bin/telnetd.sh عند بدء تشغيل الجهاز

- مراقبة الاتصالات الصادرة من DIR-600L إلى البنية التحتية الخارجية

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.8.1.1 - User access management and authentication controls ECC 2024 A.8.2.1 - User responsibility for password management ECC 2024 A.8.3.1 - Password quality requirements ECC 2024 A.13.1.1 - Network security perimeter controls ECC 2024 A.13.1.3 - Segregation of networks ECC 2024 A.14.2.1 - System change management

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Hardware and software asset management SAMA CSF PR.AC-1 - Access control policy and procedures SAMA CSF PR.AC-6 - Access control for remote devices SAMA CSF DE.CM-1 - Network monitoring and detection SAMA CSF RS.MI-2 - Incident response and containment

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.5.16 - Authentication ISO 27001:2022 A.5.18 - Management of privileged access rights ISO 27001:2022 A.8.1 - User endpoint devices ISO 27001:2022 A.8.2 - Privileged access rights ISO 27001:2022 A.8.6 - Access control to networks and network services

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Change vendor-supplied defaults PCI DSS 2.2.4 - Configure system security parameters PCI DSS 6.2 - Ensure security patches are installed PCI DSS 8.1 - Assign unique user ID PCI DSS 8.2 - Strong authentication methods

🔗 References & Sources 2

🔗

https://www.securin.io/zero-day/cve-2026-42374-hardcoded-telnet-backdoor-in-d-link-dir-...

33c584b5-0579-4c06-b2a0-8d8329fcab9c

Exploit Third Party Advisory

🔗

https://www.securin.io/zero-day/cve-2026-42374-hardcoded-telnet-backdoor-in-d-link-dir-...

134c704f-9b21-4f2e-91b3-4a467353bcc0

Exploit Third Party Advisory

📦 Affected Products / CPE 1 entries

dlink:dir-600l_firmware

📊 CVSS Score

9.8

/ 10.0 — Critical

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity Critical

CVSS Score9.8

CWECWE-798

EPSS0.17%

Exploit ✓ Yes

Patch ✗ No

Published 2026-05-04

Source Feed nvd

🇸🇦 Saudi Risk Score

9.6

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

exploit-available CWE-798

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-42374

💬 Comments

Introduce Yourself

Sign In Required