CVE-2026-42375

CriticalPublic PoC

Published: 04 May 2026

Published

04 May 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42375 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dlink Dir-600L Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SA-22 Unsupported System Components good match

prevent

Prohibits the use of end-of-life devices like the D-Link DIR-600L that contain unpatchable hardcoded backdoor credentials, preventing deployment or continued operation of vulnerable hardware.

SI-2 Flaw Remediation good match

preventrecover

Requires identification, prioritization, and remediation of the hardcoded telnet backdoor flaw (CVE-2026-42375) through replacement or retirement since no patches are available for the EOL device.

SC-7 Boundary Protection good match

preventdetect

Monitors and controls communications at system boundaries to block local network access to the exposed telnet port (23), preventing exploitation of the hardcoded credentials backdoor.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1133 External Remote Services Persistence

Adversaries may leverage external-facing remote services to initially access and/or persist within a network.

attack.mitre.org →

Why these techniques?

Hardcoded credentials in the Telnet daemon directly enable use of a backdoor/default account (T1078.001) for unauthenticated remote access via an external service (T1133), granting root shell on the network-accessible router.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

D-Link DIR-600L Hardware Revision A1 (End-of-Life) contains a hardcoded telnet backdoor. The device starts a telnet daemon at boot via /bin/telnetd.sh with the username "Alphanetworks" and the static password "wrgn35_dlwbr_dir600l" read from /etc/alpha_config/image_sign. The custom telnetd binary accepts a -u…

user:password flag, and the custom login binary uses strcmp() to validate credentials. Successful authentication grants an unauthenticated attacker on the local network a root shell with full administrative control. The device has reached End-of-Life (EOL) and will not receive patches.

Deeper analysisAI

CVE-2026-42375 is a hardcoded credentials backdoor vulnerability (CWE-798) in the D-Link DIR-600L Hardware Revision A1 router, an end-of-life device. At boot, the firmware launches a telnet daemon via /bin/telnetd.sh, configuring it with the static username "Alphanetworks" and password "wrgn35_dlwbr_dir600l" sourced from /etc/alpha_config/image_sign. A custom telnetd binary accepts a -u user:password flag, while the custom login binary performs credential validation using strcmp(), enabling insecure remote access. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated attacker on the local network can exploit this vulnerability by connecting to the telnet service with the known hardcoded credentials. Successful authentication provides a root shell, granting full administrative control over the device, including potential for arbitrary code execution, configuration changes, or persistence mechanisms.

Advisories, including those from Securin.io, confirm the device has reached end-of-life status and will not receive patches or vendor support. No mitigations are available beyond device replacement or network isolation to prevent local network access to the telnet port.

Details

CWE(s): CWE-798

Affected Products

dlink

dir-600l firmware

all versions

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: backdoor

CVEs Like This One

CVE-2026-42374Same product: Dlink Dir-600L

CVE-2026-42376Same vendor: Dlink

CVE-2025-60554Same product: Dlink Dir-600L

CVE-2025-60548Same product: Dlink Dir-600L

CVE-2025-60553Same product: Dlink Dir-600L

CVE-2026-42372Same vendor: Dlink

CVE-2026-42373Same vendor: Dlink

CVE-2025-22968Same vendor: Dlink

CVE-2024-46429Shared CWE-798

CVE-2026-23647Shared CWE-798

References

https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-600l-a1-end-of-life-
Exploit, Third Party Advisory · 33c584b5-0579-4c06-b2a0-8d8329fcab9c
https://www.securin.io/zero-day/cve-2026-42375-hardcoded-telnet-backdoor-in-d-link-dir-600l-a1-end-of-life-
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0