SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2018-20432
    ▲ CriticalCVSS 9.8✓ PatchedEPSS 0.2032%

    Hardcoded credentials in DLink CoVR-2600R Router

    D-Link COVR-2600R and COVR-3902 Kit before 1.01b05Beta01 use hardcoded credentials for telnet connection, which allows unauthenticated attackers to gain privileged access to the router, and to extract sensitive data or modify the configuration.

    CVE IDCVE-2018-20432
    CVSS v3.19.8 Critical
    VendorDLink
    CWECWE-798
    DisclosedDec 5, 2018
    StatusFixed
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Impact
    • 04Remediation
    • 05Timeline
    • 06References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data.

    Vendor
    DLink
    Affected Product
    COVR-3902_REVA_ROUTER_FIRMWARE_v1.01B0
    CVE
    CVE-2018-20432
    Securin ID
    2018-CSW-02-1019
    Status
    Fixed
    Date
    December 5, 2018
    Severity
    Critical
    CVSS Score
    9.8
    Vector
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    CWE
    CWE-798
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    9.8CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    ScopeUnchanged
    ImpactC:H / I:H / A:H
    SeverityCritical
    PoC · Exploitation Steps▲ trigger
    01Issues021. Download the firmware from the mentioned download URLs.032. Extract the firmware using binwalk. “binwalk -e COVR-3902_ROUTER_v101b05.bin.”04Figure 1: Extracting a firmware053. Go to “cat ./etc/init0.d/S80telnetd.sh” to get a username06Figure 2: Clear text username as shown in screenshots074. Go to “cat ./etc/config/image_sign” to get a password08Figure 3: Clear text password as shown in screenshots09Username: Alphanetworks\10Password: wrgac61_dlink.2015_dir883
    03/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    An unauthenticated attacker gains privileged access to the router, and to extract sensitive data or modify the configuration.

    04/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Download and apply the relevant from the vendor:

    https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10109

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2018-20432, contact disclose@securin.io
    05/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Jul 05, 2019

    Discovered in Dlink.

    Timeline recorded · Disclosure coordinated by Securin

    06/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2018-20432

    nvd.nist.gov/vuln/detail/CVE-2018-20432 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum