CVE-2020-29323: Hardcoded Telnet Credentials in D-Link Router

D-Link Router DIR-895L MFC Telnet Hardcoded Credentials

The D-link router DIR-885L-MFC 1.15b02, v1.21b05 is vulnerable to credentials disclosure in telnet service through decompilation of firmware, that allows an unauthenticated attacker to gain access to the firmware and to extract sensitive data.

CVE IDCVE-2020-29323

CVSS v3.17.5 High

VendorD-Link

CWECWE-522, CWE-798

DisclosedAug 17, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: D-Link
Affected Product: D-Link Router DIR-885L-MFC
CVE: CVE-2020-29323
Securin ID: 2020-CSW-08-1048
Status: Fixed
Date: August 17, 2021
Severity: High
CVSS Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-522, CWE-798

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

ScopeUnchanged

ImpactC:H / I:N / A:N

SeverityHigh

Issues: The telnet hardcoded default credentials are the vulnerable elements in the firmware of DIR-868L.

PoC · Exploitation Steps▲ trigger

01Step 1: Extract the firmware02Step 2: Run the command cat etc/init0.d/S80telnetd.sh to get the username and the location of the variable used for storing the password.03Figure 1: Clear text username as shown in screenshots04Step 3: Run the command cat etc/config/image_sign to get the password05Figure 2: Clear text password as shown in screenshots

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A successful exploit could allow the attacker to gain access to the firmware and to extract sensitive data.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

D-Link released a support announcement in response to the recommendations provided by CSW team for these D-Link products – https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10189

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-29323, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 17, 2020

Discovered in our research lab

Aug 18, 2020

Vulnerability reported to vendor and vendor acknowledged the vulnerability

Aug 20, 2020

Vendor responded saying “elevated to D-Link Corporation”.

Aug 26, 2020

Follow up

Aug 28, 2020

Vendor responded saying “should have an update in next few Days”

Sep 4, 2020

Follow up

Sep 7,2020

Vendor responded saying need more time to review and response from R&D

Sep 10, 2020

Vendor responded with a support announcement.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-29323

nvd.nist.gov/vuln/detail/CVE-2020-29323 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

D-Link Router DIR-895L MFC Telnet Hardcoded Credentials

CVE IDCVE-2020-29323

CVSS v3.17.5 High

VendorD-Link

CWECWE-522, CWE-798

DisclosedAug 17, 2021

StatusFixed

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Vendor: D-Link
Affected Product: D-Link Router DIR-885L-MFC
CVE: CVE-2020-29323
Securin ID: 2020-CSW-08-1048
Status: Fixed
Date: August 17, 2021
Severity: High
CVSS Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-522, CWE-798

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

ScopeUnchanged

ImpactC:H / I:N / A:N

SeverityHigh

Issues: The telnet hardcoded default credentials are the vulnerable elements in the firmware of DIR-868L.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A successful exploit could allow the attacker to gain access to the firmware and to extract sensitive data.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-29323, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Aug 17, 2020

Discovered in our research lab

Aug 18, 2020

Vulnerability reported to vendor and vendor acknowledged the vulnerability

Aug 20, 2020

Vendor responded saying “elevated to D-Link Corporation”.

Aug 26, 2020

Follow up

Aug 28, 2020

Vendor responded saying “should have an update in next few Days”

Sep 4, 2020

Follow up

Sep 7,2020

Vendor responded saying need more time to review and response from R&D

Sep 10, 2020

Vendor responded with a support announcement.

Timeline recorded · Disclosure coordinated by Securin

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-29323

nvd.nist.gov/vuln/detail/CVE-2020-29323 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

D-Link Router DIR-895L MFC Telnet Hardcoded Credentials

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in our research lab

Vulnerability reported to vendor and vendor acknowledged the vulnerability

Vendor responded saying “elevated to D-Link Corporation”.

Follow up

Vendor responded saying “should have an update in next few Days”

Follow up

Vendor responded saying need more time to review and response from R&D

Vendor responded with a support announcement.

Cite, verify, go deeper.

NVD — CVE-2020-29323

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

D-Link Router DIR-895L MFC Telnet Hardcoded Credentials

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in our research lab

Vulnerability reported to vendor and vendor acknowledged the vulnerability

Vendor responded saying “elevated to D-Link Corporation”.

Follow up

Vendor responded saying “should have an update in next few Days”

Follow up

Vendor responded saying need more time to review and response from R&D

Vendor responded with a support announcement.

Cite, verify, go deeper.

NVD — CVE-2020-29323

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

D-Link Router DIR-895L MFC Telnet Hardcoded Credentials

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in our research lab

Vulnerability reported to vendor and vendor acknowledged the vulnerability

Vendor responded saying “elevated to D-Link Corporation”.

Follow up

Vendor responded saying “should have an update in next few Days”

Follow up

Vendor responded saying need more time to review and response from R&D

Vendor responded with a support announcement.

Cite, verify, go deeper.

NVD — CVE-2020-29323

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

D-Link Router DIR-895L MFC Telnet Hardcoded Credentials

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in our research lab

Vulnerability reported to vendor and vendor acknowledged the vulnerability

Vendor responded saying “elevated to D-Link Corporation”.

Follow up

Vendor responded saying “should have an update in next few Days”

Follow up

Vendor responded saying need more time to review and response from R&D

Vendor responded with a support announcement.

Cite, verify, go deeper.

NVD — CVE-2020-29323

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.