📄 Description (English)
D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.
🤖 AI Executive Summary
D-Link DIR-600L routers contain a hardcoded telnet backdoor with static credentials that grants unauthenticated attackers root access on the local network. The vulnerability affects end-of-life devices that will never receive patches. With a CVSS score of 9.8 and publicly available exploits, this poses an immediate and persistent threat to any organization still operating these devices.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 06:48
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using DIR-600L routers face critical risk across multiple sectors: Government agencies and NCA infrastructure may have legacy deployments; Banking sector (SAMA-regulated) could experience network compromise affecting payment systems; Telecom operators (STC, Mobily) may have these devices in branch offices or customer networks; Healthcare facilities using these for network access; Energy sector (ARAMCO, utilities) with legacy network infrastructure. The lack of patch availability means affected devices must be immediately decommissioned or isolated. Local network access requirement limits exposure but internal threats and compromised network segments pose significant risk.
🏢 Affected Saudi Sectors
Government
Banking
Telecommunications
Healthcare
Energy
Education
Retail
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Conduct urgent inventory of all D-Link DIR-600L devices across the organization
2. Isolate affected devices from production networks immediately
3. Disable telnet service if possible through device configuration
4. Implement network segmentation to restrict local network access to these devices
5. Monitor for unauthorized telnet connections (port 23) to these devices
PATCHING GUIDANCE:
- No patches available; device is end-of-life
- Decommission all DIR-600L units and replace with supported alternatives
- If replacement timeline exceeds 30 days, implement compensating controls
COMPENSATING CONTROLS:
1. Deploy network access control (NAC) to prevent unauthorized device connections
2. Implement firewall rules blocking telnet (port 23) to/from DIR-600L devices
3. Restrict device access to trusted VLANs only
4. Deploy intrusion detection signatures for hardcoded credential exploitation
5. Enable syslog forwarding to SIEM for connection monitoring
DETECTION RULES:
- Alert on telnet connections to port 23 on DIR-600L devices
- Monitor for authentication attempts with username 'Alphanetworks'
- Flag any successful root shell access from local network sources
- Track failed telnet connection attempts indicating reconnaissance
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. إجراء جرد عاجل لجميع أجهزة D-Link DIR-600L في المنظمة
2. عزل الأجهزة المتأثرة عن شبكات الإنتاج فوراً
3. تعطيل خدمة telnet إن أمكن من خلال إعدادات الجهاز
4. تنفيذ تقسيم الشبكة لتقييد الوصول إلى الشبكة المحلية لهذه الأجهزة
5. مراقبة اتصالات telnet غير المصرح بها (المنفذ 23) لهذه الأجهزة
توجيهات التصحيح:
- لا توجد تصحيحات متاحة؛ الجهاز انتهت دورة حياته
- إيقاف تشغيل جميع وحدات DIR-600L واستبدالها ببدائل مدعومة
- إذا تجاوز الجدول الزمني للاستبدال 30 يوماً، قم بتنفيذ ضوابط تعويضية
الضوابط التعويضية:
1. نشر التحكم في الوصول إلى الشبكة (NAC) لمنع اتصالات الأجهزة غير المصرح بها
2. تنفيذ قواعد جدار الحماية لحظر telnet (المنفذ 23) من/إلى أجهزة DIR-600L
3. تقييد وصول الجهاز إلى VLANs الموثوقة فقط
4. نشر توقيعات كشف الاختراق لاستغلال بيانات الاعتماد المشفرة
5. تفعيل إعادة توجيه syslog إلى SIEM لمراقبة الاتصال
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.8.1.1 - User access control and authentication
ECC 2024 A.8.2.1 - Secure authentication mechanisms
ECC 2024 A.13.1.1 - Network security perimeter
ECC 2024 A.13.1.3 - Segregation of networks
🔵 SAMA CSF
ID.AM-2 - Hardware and software assets are inventoried
PR.AC-1 - Identities and credentials are issued and managed
PR.AC-6 - Access is managed through removable media
DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
A.5.15 - Access control
A.8.2.1 - User registration and de-registration
A.8.2.3 - Management of privileged access rights
A.13.1.1 - Network controls
🟣 PCI DSS v4.0
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 8 - Assign and manage access to network resources
🔗 References & Sources 2
🔗
https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-...
33c584b5-0579-4c06-b2a0-8d8329fcab9c
Exploit
Third Party Advisory
🔗
https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-...
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
dlink:dir-600l_firmware