The CERT Coordination Center (CERT/CC) has issued a security advisory detailing a serious unpatched vulnerability affecting the TOTOLINK EX200 wireless range extender, which could allow a remote attacker to gain complete control over the device.
The vulnerability, tracked as CVE-2025-65606, originates from improper error handling within the device’s firmware upload mechanism. Although no CVSS score has been assigned yet, the flaw poses a critical risk due to its potential to expose root level system access.
Firmware Upload Error Triggers Root Telnet Access
According to CERT/CC, the issue occurs when an authenticated user uploads a specially crafted or malformed firmware file through the web based management interface. This action causes the firmware upload handler to enter an abnormal error state.
As a result, the device unintentionally launches a telnet service running with root privileges, without requiring any authentication. Once activated, this service allows attackers to remotely connect and gain unrestricted access to the system.
CERT/CC confirmed that exploitation requires prior authentication to the administrative web interface, as the attacker must access the firmware upload functionality to trigger the flaw.
Full Device Compromise Possible
Once the unauthenticated root telnet service is exposed, attackers can completely compromise the affected device. This may include modifying configuration settings, executing arbitrary system commands, installing persistent backdoors, or using the device as part of a larger malicious network.
The unintended remote access interface significantly increases the attack surface and enables long term control over vulnerable systems.
No Patch Available as Product Is No Longer Maintained
CERT/CC stated that TOTOLINK has not released any security patch to fix the vulnerability. The EX200 device is reportedly no longer under active development or maintenance.
Public information on TOTOLINK’s official website shows that the last firmware update for the EX200 was released in February 2023, indicating that users should not expect future security updates.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
