Cyber Resilience

CVE-2021-40655

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 24 September 2021

Published
24 September 2021
Modified
10 November 2025
KEV Added
16 May 2024
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9261 99.8th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-40655 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Dlink Dir-605L Firmware. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-17 (Remote Access).

Deeper analysis

CVE-2021-40655 is an information disclosure vulnerability affecting the D-Link DIR-605 B2 router running firmware version 2.01MT. The flaw resides in the /getcfg.php endpoint and stems from incorrect authorization (CWE-863), which fails to enforce proper access controls on configuration data.

An unauthenticated remote attacker can exploit the issue by sending a crafted POST request to the affected endpoint. Successful exploitation yields the device's administrative username and password, exposing sensitive credentials without requiring any user interaction or prior authentication.

The vulnerability is tracked in CISA's Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. D-Link has published security bulletins addressing affected hardware, and public proof-of-concept material is available in repositories that demonstrate the request forgery technique.

EU & UK References

Vulnerability details

An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page

CWE(s)
KEV Date Added
16 May 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dlink
dir-605l firmware
2.01mt

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the /getcfg.php endpoint so that unauthenticated POST requests cannot retrieve administrative credentials.

prevent

Limits the privileges granted to unauthenticated or low-privilege sessions, reducing the impact of missing authorization on configuration data.

AC-17 Remote Access partial match
prevent

Requires explicit remote-access authorization policies and mechanisms that would block forged requests to the exposed management endpoint.

References