Search
On this page ▾
CVE-2021-40655 — D-Link DIR-605 Router Information Disclosure Vulnerability

CVE-2021-40655

D-Link DIR-605L (EOL) — Unauthenticated Credential Disclosure via Forged POST to /getcfg.php Exposes Admin Username and Password
⚠️ CVSS 3.1  7.5 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

The D-Link DIR-605L is a consumer-grade Wi-Fi router that reached end-of-life (EOL) and end-of-service (EOS). Like many SOHO routers, the DIR-605L provides web-based administration through a built-in HTTP server. SOHO routers are consistently targeted by botnets and threat actors because they are internet-connected, often run for years without updates, and provide strategic network access when compromised. Credential disclosure vulnerabilities in routers allow attackers to take over the device, enabling traffic interception, DNS hijacking, botnet enrollment, and use as a network pivot point.

Overview

CVE-2021-40655 is an information disclosure vulnerability (CWE-863: Incorrect Authorization) in D-Link DIR-605L routers. An unauthenticated attacker can send a specially crafted POST request to the /getcfg.php endpoint on the router's web administration interface, and the server responds with the router's administrator username and password in cleartext. No authentication or prior access is required. With the admin credentials obtained, the attacker has full control over the router — including DNS settings, port forwarding, wireless configuration, and the ability to install modified firmware.

D-Link has not released a patch because the DIR-605L has reached end-of-life. CISA's required action is to retire and replace the device. CISA added this to KEV in May 2024, confirming active exploitation against unretired DIR-605L devices.

Affected Versions

Product Vulnerable Fixed
D-Link DIR-605L (all hardware revisions) Yes No patch — EOL product; retire and replace

Technical Details

  • Root cause: Incorrect authorization (CWE-863) — the /getcfg.php endpoint on the router's embedded web server responds to POST requests without requiring authentication, and returns configuration data including plaintext admin credentials
  • Exploitation: An attacker sends a crafted POST request to http://<router-ip>/getcfg.php with specific parameters; the router responds with the admin username and password in cleartext — no session cookie, no credentials required to trigger the disclosure
  • Full device takeover: With admin credentials, the attacker can: change DNS servers (enabling phishing/interception), configure port forwarding for C2 access, modify Wi-Fi passwords, install modified firmware, and use the device as a network pivot for attacking internal hosts
  • Confidentiality-only CVSS: C:H/I:N/A:N — the vulnerability itself only discloses credentials; the follow-on impact of full device control is not captured in the CVSS base score
  • No authentication required: AV:N/PR:N — exploitable from the internet if the router's management interface is internet-accessible (common for many consumer router deployments)
  • No patch: D-Link will not issue a fix for EOL hardware — the only remediation is replacement

Discovery

Reported and published by security researchers. The three-year gap between CVE publication (2021) and CISA KEV addition (May 2024) reflects continued active exploitation of unretired DIR-605L devices in botnet campaigns and targeted network intrusions.

Exploitation Context

End-of-life SOHO routers with known credential disclosure vulnerabilities are persistent targets for Mirai-variant botnets, cryptomining infrastructure operators, and threat actors building proxy networks. The DIR-605L credential disclosure provides an easy path to router takeover for any attacker who can reach the management interface. Organizations and individuals who have not retired DIR-605L devices (often installed years ago and forgotten) remain vulnerable with no patch available. The CISA KEV addition with an EOL-specific required action — "retire and replace" — reflects that the only real remediation is device replacement.

Remediation

  1. Retire and replace the D-Link DIR-605L immediately — this device is EOL with no patch available. Replace with a current-generation router that receives security updates
  2. As an interim measure if immediate replacement is not possible: disable remote management / web admin access from WAN (internet) side — restrict management to LAN only
  3. Change the default admin password to a strong unique credential — this does not fix the vulnerability but raises the bar for exploitation
  4. Place the router behind an ISP modem/gateway with NAT to prevent direct internet access to the management interface
  5. Contact your ISP if you need assistance selecting a replacement router that meets your connectivity requirements

Key Details

PropertyValue
CVE ID CVE-2021-40655
Vendor / Product D-Link — DIR-605 Router
NVD Published2021-09-24
NVD Last Modified2025-11-10
CVSS 3.1 Score7.5
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SeverityHIGH
CWE CWE-863 find similar ↗
CISA KEV Added2024-05-16
CISA KEV Deadline2024-06-06
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2024-06-06. This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.

Timeline

DateEvent
2021-09-24CVE-2021-40655 published
2024-05-16Added to CISA Known Exploited Vulnerabilities catalog — nearly three years after publication; no patch available (EOL product)
2024-06-06CISA BOD 22-01 remediation deadline

References

ResourceType
NVD — CVE-2021-40655 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-24

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML