D-Link DIR-1253/DIR-835M (White version of DIR-1253) prior version V1.0.1.250923.142435, contained a harcoded root (administrator) credential inside etc/shadow file.

Avatar

Zuhri

  ( 2 min read )

Summary #

D-Link DIR-1253/DIR-835M (White version of DIR-1253) prior version V1.0.1.250923.142435, contained a harcoded root (administrator) credential. The file affected is locate at etc/shadow inside of firmware version V1.0.1.250923.142435 with binary named DIR-1253_V1.0.1.250923.142435_official.bin. These credentials are able in use as serial console login (TTY).

Proof of Concept #

A fully automate Proof of Concept (PoC) in one-liner of code.

Automated exploit PoC gif

Details #

The affected component is located at etc/shadow, the etc/shadow file is contained a hardcoded root level privilege (administrator). Which is, the attacker are able to compromising the device via serial console login.

The etc/shadow:1-2 file are contained root level privilege (administrator) within other user account (tmadmin) leakage.

1root:$1$qGmxLn8v$yTzaaXdb6.6QLLgS0Euz.1:12571:0:99999:7:::
2tmadmin:$1$W9mpTzNH$GCFTW1Zoa6LPPOv3T1jDO/:0:0:99999:7:::

Impact #

The attacker are able to fully compromising the device (DIR-1253) via serial console login, by using a hardcoded component inside the firmware.

Timeline #

# Dec 20, 2025:
- Vulnerability was reported to: D-Link US SIRT.
- D-Link US SIRT: "We don't recognize the device."

# Mar 04, 2026:
- Request for CVE ID to MITRE CNA.

# Mar 17, 2026:
- MITRE: "They (D-Link) REJECTED the claim."

# May 22, 2026:
- Request for CVE ID to MITRE CNA.

# Jul 08, 2026:
- CVE-2026-52533 was assigned in RESERVED states.
- CVE-2026-52533 references was in public.

# Jul 09, 2026:
- Request for CVE-2026-52533 states to be PUBLISHED.

References #

- https://dlink.com.ph/Downloads/DIR-1253/datasheet/DIR-1253-Datasheet-WHITE-VERSION.pdf
- https://support.dlink.com.sg/consumer/wi-fi-router/dir-1253
- https://cwe.mitre.org/data/definitions/798.html
- https://zuh.re/cve/2025-29165/
- https://zuh.re/blog/2025/performing-sast-on-dlink-dir-1253-firmware-white-version/