Description
D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text.
Published: 2026-05-23
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a credential disclosure flaw that allows an unauthenticated attacker who can send POST requests to /my_cgi.cgi to manipulate the table_name parameter. By using values such as admin_user, wireless_settings, or wireless_security, the attacker can retrieve administrative passwords and wireless keys in clear text. The primary consequence is a breach of confidentiality, as the attacker gains privileged network credentials and wireless network secrets without needing any authentication.

Affected Systems

The weakness affects D‑Link routers with the DIR601NA model running firmware version 2.02NA.

Risk and Exploitability

The CVSS score of 8.7 classifies this as high severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw simply by sending unauthenticated HTTP POST requests over the network; no special access or privileges are required. Because the data is transmitted in clear text, any adversary with network access to the router can extend their intrusion, potentially compromising the entire local network.

Generated by OpenCVE AI on May 23, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the firmware to a version that fixes the credential disclosure vulnerability, as provided by D‑Link via their support portal.
  • If an update is not immediately available, disable the router’s web management interface or restrict it to a trusted local subnet to prevent remote discovery of the my_cgi.cgi endpoint.
  • Change all default administrative passwords and wireless network keys, and implement strong, non‑predictable passwords to reduce the impact should credentials remain exposed.

Generated by OpenCVE AI on May 23, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description D-Link DIR601 2.02NA contains a credential disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration data by manipulating the table_name parameter in POST requests. Attackers can send requests to /my_cgi.cgi with table_name values like admin_user, wireless_settings, and wireless_security to extract administrative credentials and wireless network keys in clear text.
Title D-Link DIR601 2.02NA Credential Disclosure via my_cgi.cgi
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-23T18:30:57.111Z

Reserved: 2026-05-23T16:48:08.746Z

Link: CVE-2018-25358

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T19:30:25Z

Weaknesses