A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware.
The vulnerability affects DIR-605L v2.13B01 and DIR-816L v2.06B01 models, scoring 6.5 on the CVSS v3.1 scale with medium severity.
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users.
.png
)
The vulnerability allows unauthenticated attackers to bypass authentication and execute arbitrary commands remotely.
Hardcoded Telnet Credentials
Researchers utilized binwalk to extract firmware images, uncovering SquashFS file systems containing the vulnerable components.
The analysis revealed that both affected models initialize Telnet services through ./bin/telnetd.sh scripts with hardcoded authentication.
The telnetd service launches with the command: /usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign, where the $image_sign variable retrieves credentials from ./etc/alpha_config/image_sign.
This configuration file contains plaintext passwords, including Wj5eH%JC for some devices.
Firmware analysis scripts identified the vulnerability using: grep -r “Alphanetworks” squashfs-root and cat squashfs-root/etc/alpha_config/image_sign.
The discovery process involved searching for “Alphanetworks” references throughout the extracted filesystem, leading researchers to the telnetd initialization scripts.
Attackers can exploit this vulnerability by connecting directly to affected routers via Telnet using the discovered credentials. The attack vector requires only network access to the target device, with no authentication barriers once the hardcoded credentials are known.
The exploitation process involves: telnet 192.168.0[.]1 followed by entering Username: Alphanetworks and the corresponding password from the image_sign file.
This grants attackers shell access with administrative privileges, enabling complete system compromise.
The vulnerability falls under CWE-77 (Improper Neutralization of Special Elements used in a Command), allowing command injection attacks. Security analysts can identify vulnerable services using: nmap -p 23
With an EPSS score of 0.04%, active exploitation likelihood remains relatively low, though the persistent nature of hardcoded credentials creates ongoing risk.
Successful exploitation enables attackers to modify router configurations, deploy malware, or pivot into internal networks.
| Risk Factors | Details |
| Affected Products | D-Link DIR-605L (v2.13B01), DIR-816L (v2.06B01) |
| Impact | Remote code execution |
| Exploit Prerequisites | Network access to port 23/TCP; knowledge of hardcoded credentials |
| CVSS 3.1 Score | 6.5 (Medium) |
Mitigations
D-Link acknowledged the vulnerability in their security bulletin, confirming that both affected models reached End-of-Life (EOL) status on November 17, 2023.
The company stated that EOL products no longer receive firmware updates or security patches.
As of May 2025, no official patches exist for this vulnerability. D-Link recommends users disable Telnet services through administrative interfaces, restrict WAN access to management ports, and monitor for potential firmware updates.
Temporary mitigation strategies include blocking the Telnet port 23 through firewall rules and replacing affected devices with supported models.
Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.
The vulnerability highlights the ongoing security risks associated with legacy networking equipment and embedded hardcoded credentials in IoT devices.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
