CVE-2024-41616 – D-Link DIR-300 REVA routers running firmware v1... (How to Fix)

Q: What is the severity of CVE-2024-41616?

CVE-2024-41616 has a CVSS score of 9.8 (CRITICAL). D-Link DIR-300 REVA routers running firmware v1.06B05_WW contain hardcoded credentials in their Telnet service, allowing attackers to gain administrative access. This affects all users of these specific router models with the vulnerable firmware version. Attackers can completely compromise the router and potentially pivot to internal networks.

📋 TL;DR

D-Link DIR-300 REVA routers running firmware v1.06B05_WW contain hardcoded credentials in their Telnet service, allowing attackers to gain administrative access. This affects all users of these specific router models with the vulnerable firmware version. Attackers can completely compromise the router and potentially pivot to internal networks.

💻 Affected Systems

Products:

D-Link DIR-300 REVA

Versions: v1.06B05_WW

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Telnet service may be enabled by default on some configurations. All devices with this exact firmware version are vulnerable.

📦 What is this software?

Dir 300 Firmware by Dlink

View all CVEs affecting Dir 300 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router takeover leading to network compromise, traffic interception, credential theft, and lateral movement to connected devices.

🟠

Likely Case

Router compromise enabling network monitoring, DNS hijacking, and access to connected IoT devices.

🟢

If Mitigated

Limited impact if Telnet is disabled and strong perimeter controls prevent external access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only Telnet access and knowledge of hardcoded credentials. Public proof-of-concept exists in GitHub repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Consider replacing affected hardware with supported models.

🔧 Temporary Workarounds

Disable Telnet Service

linux

Completely disable Telnet access to prevent credential exploitation

telnetd stop
killall telnetd
chmod -x /usr/sbin/telnetd

Network Access Control

linux

Block Telnet port 23 at firewall/network perimeter

iptables -A INPUT -p tcp --dport 23 -j DROP

🧯 If You Can't Patch

Replace affected hardware with supported models
Isolate vulnerable routers in separate network segments with strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check firmware version in web interface or via command: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Attempt Telnet connection to port 23 - should be unreachable or require authentication

📡 Detection & Monitoring

Log Indicators:

Failed/successful Telnet authentication attempts
Telnet service start/stop events

Network Indicators:

Telnet connections to port 23 from external IPs
Multiple failed login attempts followed by success

SIEM Query:

source="router.log" AND ("telnet" OR "port 23") AND ("login" OR "authentication")

📊 Metadata

CVE ID: CVE-2024-41616

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: August 6, 2024

Last Updated: August 7, 2024

🔗 References

https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DIR300/CVE-2024-41616 Third Party Advisory
https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DIR300/D-Link300.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41616, you might also want to check these: