RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials
Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.
If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.
| OEM | D-link |
| Severity | Medium |
| CVSS Score | 6.5 |
| CVEs | CVE-2025-46176 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.
The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Hardcoded Telnet Credentials vulnerability | CVE-2025-46176 | D-Link Router | Medium | No official fix available |
Technical Summary
The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.
Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.
Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-46176 | D-Link DIR-605L v2.13B01, DIR-816L v2.06B01 | Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords. | RCE |
Recommendations:
As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :
- Disable Telnet access via the router’s web interface.
- Block Telnet port (23) using firewall rules:
“iptables -A INPUT -p tcp –dport 23 -j DROP”
- Restrict WAN access to management interfaces.
- Monitor D-Link’s official support page for firmware updates.
Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users.
While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.
Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.
Threat from Legacy Devices:
The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.
Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.
References:
- https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10427
- https://github.com/namberino/cve/tree/main/CVE-2025-46176
- https://gbhackers.com/d-link-exposed-hard-coded/