D-Link Routers Exposed by Hard-Coded Telnet Credentials

D-Link Routers Exposed by Hard-Coded Telnet Credentials

A recently disclosed vulnerability (CVE-2025-46176) exposes critical security flaws in D-Link’s DIR-605L and DIR-816L routers, revealing hardcoded Telnet credentials that enable remote command execution.

The vulnerability affects firmware versions 2.13B01 (DIR-605L) and 2.06B01 (DIR-816L), scoring 6.5 on the CVSS v3.1 scale with medium severity.

Security researchers identified improper command neutralization (CWE-77) as the root cause, allowing attackers to bypass authentication via firmware analysis.

– Advertisement –

Technical Analysis of Firmware Backdoors

Researchers extracted firmware using binwalk, revealing SquashFS file systems containing vulnerable components.

Both models execute Telnet services through ./bin/telnetd.sh, which initializes with hardcoded credentials:

bash# DIR-605L v2.13B01 telnetd.sh snippet
/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign

The $image_sign variable retrieves credentials from ./etc/alpha_config/image_sign, exposing plaintext passwords like Wj5eH%JC.

Attackers can exploit this via:

bashtelnet 192.168.0.1
Username: Alphanetworks
Password: Wj5eH%JC

Firmware analysis scripts identified the flaw using:

bashbinwalk -eM DIR605L_FW_2.13B01.bin
grep -r "Alphanetworks" squashfs-root
cat squashfs-root/etc/alpha_config/image_sign

Exploit Potential and Risk Assessment

The vulnerability permits unauthenticated attackers to:

  • Execute arbitrary commands via Telnet
  • Modify router configurations
  • Deploy malware or pivot to internal networks

With an EPSS score of 0.04%, the likelihood of active exploitation remains low but persistent.

However, the absence of firmware patches exacerbates risks for devices exposed to public networks.

Security analysts emphasize that:

bashnmap -p 23   # Identifies vulnerable Telnet services

Mitigation Strategies and Vendor Response

D-Link acknowledged the issue in a security bulletin, urging users to:

  1. Disable Telnet services via the admin interface
  2. Restrict WAN access to management ports
  3. Monitor for firmware updates

As of May 2025, no official patches exist. Temporary workarounds include:

bashiptables -A INPUT -p tcp --dport 23 -j DROP  # Blocks Telnet traffic

This vulnerability underscores the risks of hardcoded credentials in IoT devices, particularly in legacy models with limited update support.

Network administrators should audit devices using Shodan queries like product:"DIR-605L" and implement network segmentation.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!


Source link