CVE-2021-40655
CVE-2021-40655 is a high-severity vulnerability in Dlink Dir-605l Firmware with a CVSS 3.x base score of 7.5. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-05-16). The underlying weakness is classified as CWE-863.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 87% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-05-16)
- EU (EUVD) id: EUVD-2021-27829
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-05-16)
- Weakness: CWE-863
- Affected product: Dlink Dir-605l Firmware
- Published:
- Last modified:
Description
An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
Frequently asked questions
- What is CVE-2021-40655?
- An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page
- How severe is CVE-2021-40655?
- CVE-2021-40655 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-40655 being actively exploited?
- Yes. CVE-2021-40655 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-05-16, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-40655?
- CVE-2021-40655 affects Dlink Dir-605l Firmware. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-40655?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-40655 have an EU (EUVD) identifier?
- Yes. CVE-2021-40655 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-27829. It is also flagged as exploited in the EUVD (since 2024-05-16).
- When was CVE-2021-40655 published?
- CVE-2021-40655 was published on 2021-09-24 and last updated on 2026-06-17.
References
- https://github.com/Ilovewomen/D-LINK-DIR-605/
- https://www.dlink.com/en/security-bulletin/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-40655
Affected products (1)
- cpe:2.3:o:dlink:dir-605l_firmware:2.01mt:*:*:*:*:*:*:*
More vulnerabilities in Dlink Dir-605l Firmware
- CVE-2026-42373 — Critical (CVSS 9.8): D-Link DIR-605L Hardware Revision B2 (End-of-Life, EOL) contains a hardcoded telnet backdoor. The device starts a…
- CVE-2012-10021 — Critical (CVSS 9.8): A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12…
- CVE-2023-29961 — Critical (CVSS 9.8): D-Link DIR-605L firmware version 1.17B01 BETA is vulnerable to stack overflow via /goform/formTcpipSetup,
- CVE-2023-24352 — Critical (CVSS 9.8): D-Link N300 WI-FI Router DIR-605L v2.13B01 was discovered to contain a stack overflow via the webpage parameter at…
- CVE-2023-24351 — Critical (CVSS 9.8): D-Link N300 WI-FI Router DIR-605L v2.13B01 was discovered to contain a stack overflow via the FILECODE parameter at…
- CVE-2023-24350 — Critical (CVSS 9.8): D-Link N300 WI-FI Router DIR-605L v2.13B01 was discovered to contain a stack overflow via the config.smtp_email_subject…
All CVEs affecting Dlink Dir-605l Firmware →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →