Insufficiently Protected Credentials in D-Link AC2600 DIR-2640 Router
CVE-2021-34204

6.8MEDIUM

Key Information:

Vendor
D-Link
Status
Dir-2640-us Firmware
Vendor
CVE Published:
16 June 2021

Summary

The D-Link AC2600 (DIR-2640) router is prone to a significant security flaw where the device system account password is stored in plain text. This vulnerability arises from the absence of proper user management, leading all devices to utilize an identical, unmodifiable password. Attackers can exploit this weakness by accessing the router's serial port, thereby gaining root privileges without authorization. This situation underscores the importance of secure password management to safeguard network integrity.

References

http://d-link.com
x_refsource_MISC
https://www.dlink.com/en/security-bulletin/
x_refsource_MISC
http://dir-2640-us.com
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.