What this actually is.
Technical background, root cause, and affected surface.
D-Link DIR-605L Hardware Revision A1 is an End-of-Life (EOL) consumer router that contains a manufacturer-installed telnet backdoor with hardcoded credentials. This product reached End-of-Life (EOL) on November 17, 2023. D-Link has confirmed it will not release security patches for EOL products.
The telnet daemon starts unconditionally at boot with the username "Alphanetworks" and the static password. This password is stored in plaintext at /etc/alpha_config/image_sign in the firmware filesystem and is identical across all DIR-605L A1 devices. Successful authentication grants a root shell with full administrative control.
- Vendor
- D-Link Corporation / Alpha Networks Inc. (ODM)
- Affected Product
- D-Link DIR-605L Hardware Revision A1 (End-of-Life)
- CVE
- CVE-2026-42372
- CWE
- CWE-798, CWE-912, CWE-259
- Status
- Fixed
- Date
- April 21, 2026
- Severity
- High
- CVSS Score
- 8.8
- Vector
- CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
An attacker on the same LAN or WiFi network as the DIR-605L A1 (EOL) can gain full root shell access by connecting to the telnet service (TCP port 23) and entering the hardcoded Alphanetworks credentials. No prior authentication, session tokens, or CSRF tokens are required. The backdoor is available immediately after device boot.Exploitation StepsStep 1: Connect to telnet on the router (default LAN IP)
The bug, and the fix.
Boot Script: /bin/telnetd.sh
This script executes unconditionally at boot. There is no user-facing option to disable the telnet backdoor.
QEMU Validation
Tested with qemu-mips-static v7.2.0. Credentials delivered via named pipe (FIFO).
#!/bin/sh
image_sign=`cat /etc/alpha_config/image_sign`
echo "Start telnetd ..." > /dev/console
if [ -f "/usr/bin/login" ]; then
telnetd -l "/usr/bin/login" -u Alphanetworks:$image_sign -i br0 &
else
telnetd &
fiRoot cause: Backdoor originates from Alpha Networks Inc. (Taiwanese ODM). The "Alphanetworks" username, /etc/alpha_config/ directory, and wrg-prefixed passwords directly identify the ODM. Intended for factory testing but never removed from production firmware.
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Exploitation grants a root shell on the DIR-605L A1 (End-of-Life). An attacker on the LAN/WiFi can:
Execute arbitrary commands as root
Read/modify all router configuration including WiFi passwords and DNS settings
Intercept, redirect, or modify all network traffic
Install persistent malware or pivot into the internal network
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Replace the device immediately with a currently supported router model.
Temporary: kill telnetd via backdoor and block port 23 (lost on reboot)
Do not use this device for any security-sensitive network
This product is End-of-Life (EOL). No patches will be released by D-Link.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
Backdoor identified via firmware static analysis
Validated via QEMU
Reported to Vendor
Vendor confirmed EoL status; no fix will be issued
Follow up with Vendor
Advisory release confirmed
CVE assigned: CVE-2026-42372
Disclosed 4 days after discovery
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.