Description
D-Link DIR-2640-US 1.01B04 is vulnerable to Incorrect Access Control. Router ac2600 (dir-2640-us), when setting PPPoE, will start quagga process in the way of whole network monitoring, and this function uses the original default password and port. An attacker can easily use telnet to log in, modify routing information, monitor the traffic of all devices under the router, hijack DNS and phishing attacks. In addition, this interface is likely to be questioned by customers as a backdoor, because the interface should not be exposed.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
http://d-link.com
Vendor Advisory x_refsource_misc
https://www.dlink.com/en/security-bulletin/
Broken Link, URL Repurposed x_refsource_misc
http://dir-2640-us.com
Exploit, Third Party Advisory x_refsource_misc
https://github.com/liyansong2018/CVE/tree/main/2021/CVE-2021-34203
Scores
CVSS v3
8.1
EPSS
0.0163
EPSS Percentile
73.0%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-1188
Status
published
Products (1)
dlink/dir-2640-us_firmware
1.01b04
Published
Jun 16, 2021
Tracked Since
Feb 18, 2026