Certain models of D-Link wireless routers have a hidden functionality where the telnet service is enabled when the WAN port is plugged in. Unauthorized remote attackers can log in and execute OS commands using hard-coded credentials.
The router's firmware contains a hidden mechanism that launches the telnet service when a connection on the WAN port is detected. This service uses hardcoded credentials that cannot be changed through the standard management interface. Remote attackers without any privileges can exploit these credentials to log in over the network and gain access to the device's system shell. This occurs without any user interaction and requires no special knowledge of device configuration.
Attacker gains full unauthorized access to the router's operating system, enabling execution of arbitrary OS commands — including modification of network configuration, interception of network traffic, installation of malicious software, and potential use of the device as an entry point to the internal network.
Apply patches available from the manufacturer according to provided references. Until patches are deployed, it is recommended to restrict access to the router's WAN port and monitor unauthorized telnet connections. If the manufacturer has not released updates, consider device replacement or network isolation.
D-Link DIR-X4860 — specific firmware versions indicated in manufacturer references (TWCERT)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDlink Dir X4860
HWDlinka1Dlink Dir X4860 Firmware
OSDlink1.001.04
Related vulnerabilities
Stack-based Buffer Overflow w routerach D-Link DIR-X5460 umożliwiający RCE
Stack-based Buffer Overflow w routerach D-Link DIR-X4860 umożliwiający RCE
D-Link DIR-X4860: command injection przez telnet z użyciem zakodowanych poświadczeń
Certain models of D-Link wireless routers contain hidden functionality. By sending specific packets to the web...
D-Link DNS-320L/325/327L/340L — zakodowane na stałe poświadczenia (hard-coded credentials)