Description
A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.
Published: 2026-05-01
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the httpd functionality on D‑Link M60 devices allows remote manipulation that weakens password recovery. The flaw can lead to unauthorized retrieval of administrator passwords, effectively bypassing normal authentication. Although the exploitation remains complex, it has been publicly disclosed and is considered difficult to execute.

Affected Systems

The vulnerability affects D‑Link M60 routers running firmware up to version 1.20B02. Users with these firmware releases are at risk if the device remains in service without corrective action.

Risk and Exploitability

The CVSS score of 6.3 denotes moderate impact. EPSS data is not available, but the description notes the attack requires high complexity and is difficult to carry out. The flaw is not listed in the CISA KEV catalog. Attackers can trigger it remotely, making the risk realistic for exposed devices.

Generated by OpenCVE AI on May 1, 2026 at 23:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement the latest firmware update released by D‑Link that addresses the httpd password recovery issue
  • If no firmware update is available, disable the httpd service or password recovery functionality on the device to block the vulnerability
  • Configure the device with strong, unique administrator passwords and consider enabling multi‑factor authentication to mitigate the potential impact of compromised credentials
  • Monitor logs and network traffic for anomalous password recovery attempts and enforce strict access controls

Generated by OpenCVE AI on May 1, 2026 at 23:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared D-link
D-link m60
Vendors & Products D-link
D-link m60

Fri, 01 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in D-Link M60 up to 1.20B02. Affected by this issue is some unknown functionality of the file /usr/bin/httpd. This manipulation causes weak password recovery. The attack can be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized.
Title D-Link M60 httpd password recovery
Weaknesses CWE-640
References
Metrics cvssV2_0

{'score': 5.1, 'vector': 'AV:N/AC:H/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.6, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

D-link M60
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-01T04:45:15.575Z

Reserved: 2026-04-30T19:07:48.377Z

Link: CVE-2026-7554

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-01T06:16:32.420

Modified: 2026-05-01T15:26:11.827

Link: CVE-2026-7554

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses