CVE-2019-18852

Vulnerability

Multiple D-Link router models contain a hardcoded user account named "Alphanetworks" stored in configuration files /etc/config/image_sign or /etc/alpha_config/image_sign. This account provides TELNET access without requiring user interaction or authentication. Affected models and firmware versions include: DIR-600 B1 V2.01 for WW, DIR-890L A1 v1.03, DIR-615 J1 v100 (for DCN), DIR-645 A1 v1.03, DIR-815 A1 v1.01, DIR-823 A1 v1.01, and DIR-842 C1 v3.00 [1].

Exploitation

An attacker with network access to the device's TELNET service (typically port 23) can exploit this vulnerability by connecting via TELNET and logging in with the hardcoded credentials. No prior authentication or special privileges are required. The attacker simply needs to know the preconfigured username and password, which are embedded in the firmware [1].

Impact

Successful exploitation grants the attacker a TELNET shell, typically with root privileges, allowing full control over the device. This enables complete compromise of confidentiality (access to network traffic, configuration), integrity (modification of firmware settings), and availability (denial of service, disruption of network operations).

Mitigation

As of the publication date (2019-11-11), no official firmware patches have been released for most affected models. Users should disable TELNET access on the device if possible, restrict TELNET access to trusted IP addresses via firewall rules, or replace the device with a supported model. Some devices may be end-of-life (EOL) and will not receive security updates [1].