CVE-2021-34203
Description
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify routing information, monitor the traffic of all devices under the router, hijack DNS and phishing attacks. In addition, this interface is likely to be questioned by customers as a backdoor, because the interface should not be exposed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
D-Link DIR-2640-US firmware 1.01B04 exposes Quagga routing daemon via telnet with default credentials when PPPoE is configured, allowing full network compromise.
Vulnerability
The D-Link DIR-2640-US router running firmware version 1.01B04 starts the Quagga routing daemon (version 1.1.1) when the PPPoE connection type is selected during network configuration, regardless of whether the connection succeeds. This daemon is exposed on telnet port 2601 with default credentials, constituting an incorrect access control vulnerability [1].
Exploitation
An attacker with network access to the router can connect via telnet to port 2601 and log in using the default password. Once authenticated, the attacker can execute arbitrary Quagga commands, such as show interface to monitor network interfaces and modify routing tables [1].
Impact
Successful exploitation allows the attacker to monitor all traffic of devices behind the router, modify routing information, hijack DNS, and perform phishing attacks. This results in a complete compromise of confidentiality and integrity, with low availability impact, as reflected in the CVSS score of 9.4 (Critical) [1].
Mitigation
As of the publication date (2021-06-16), no official fix is available from D-Link [1]. Users are advised to avoid using PPPoE configuration or consider upgrading to a different router model. Monitoring D-Link's security bulletin for future updates is recommended [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- D-Link/ac2600description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- d-link.commitrex_refsource_MISC
- dir-2640-us.commitrex_refsource_MISC
- github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-34203mitrex_refsource_MISC
- www.dlink.com/en/security-bulletin/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.