CVE-2023-46685 – A hard-coded password vulnerability in the teln... (How to Fix)

📋 TL;DR

A hard-coded password vulnerability in the telnetd functionality of LevelOne WBR-6013 routers allows attackers to execute arbitrary commands with root privileges. This affects LevelOne WBR-6013 routers running specific vulnerable firmware versions. Attackers can gain complete control of affected devices.

💻 Affected Systems

Products:

LevelOne WBR-6013

Versions: RER4_A_v3411b_2T2R_LEV_09_170623 firmware

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the telnetd service which may be enabled by default. Other firmware versions may also be affected but not confirmed.

📦 What is this software?

Wbr 6013 Firmware by Level1

View all CVEs affecting Wbr 6013 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to network infiltration, data exfiltration, botnet recruitment, and persistent backdoor installation.

🟠

Likely Case

Router takeover enabling traffic interception, DNS manipulation, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if telnet is disabled and devices are isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Directly exploitable from the internet if telnet port is exposed.

🏢 Internal Only: HIGH - Exploitable from any network segment with access to the telnet service.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted network packets to the telnet service. The hard-coded credentials bypass authentication entirely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory found

Restart Required: No

Instructions:

1. Check vendor website for firmware updates
2. If update available, download and install via web interface
3. Verify telnet service is disabled after update

🔧 Temporary Workarounds

Disable telnet service

linux

Completely disable the telnet daemon to prevent exploitation

telnetd -l /bin/sh -p 23 &

Block telnet port at firewall

linux

Prevent external access to telnet port 23

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Isolate affected devices in separate VLAN with strict access controls
Implement network segmentation to limit lateral movement potential

🔍 How to Verify

Check if Vulnerable:

Attempt telnet connection to port 23 and check if authentication is bypassed with known hard-coded credentials

Check Version:

Check firmware version in router web interface or via serial console

Verify Fix Applied:

Verify telnet service is not running on port 23 and cannot be accessed

📡 Detection & Monitoring

Log Indicators:

Failed telnet authentication attempts
Successful telnet logins from unusual IPs
Root shell access via telnet

Network Indicators:

Telnet traffic to port 23
Unusual outbound connections from router
Command execution patterns in telnet sessions

SIEM Query:

source="router_logs" AND (event="telnet_login" OR port=23) AND (user="root" OR auth_success=true)

📊 Metadata

CVE ID: CVE-2023-46685

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-259

Published: July 8, 2024

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871 Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1871 Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1871

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46685, you might also want to check these: