Full Report
The CERT Coordination Center (CERT/CC) has disclosed details of an unpatched security flaw impacting TOTOLINK EX200 wireless range extender that could allow a remote authenticated attacker to gain full control of the device. The flaw, CVE-2025-65606 (CVSS score: N/A), has been characterized as a flaw in the firmware-upload error-handling logic, which could cause the device to inadvertently start
Analysis Summary
# Vulnerability: Unauthenticated Root Telnet Service Enabled via Firmware Upload Error on TOTOLINK EX200
## CVE Details
- CVE ID: CVE-2025-65606
- CVSS Score: N/A (Severity level not provided in the source)
- CWE: Flaw in error-handling logic (Related to improper input validation/state management during firmware processing)
## Affected Systems
- Products: TOTOLINK EX200 wireless range extender
- Versions: Not specified, applies to firmware prior to any potential fix. The product is stated to be no longer actively maintained (last firmware update in February 2023).
- Configurations: Requires the attacker to be already authenticated to the device's web management interface to access the firmware upload functionality.
## Vulnerability Description
The vulnerability resides in the firmware-upload error-handling logic. When an authenticated attacker attempts to upload specifically malformed firmware files, the system enters an "abnormal error state." This error condition causes the device to inadvertently start an unauthenticated Telnet service running with root-level privileges, granting the attacker full system access. This allows for configuration manipulation, arbitrary command execution, and persistence establishment.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but details have been publicly disclosed by CERT/CC. (PoC availability is inferred from the technical description allowing triggering via malformed files).
- Complexity: Medium (Requires prerequisite authentication to the management interface).
- Attack Vector: Network (Requires access to the web management interface)
## Impact
- Confidentiality: High (Full system access increases risk of data exfiltration)
- Integrity: High (Attacker can execute arbitrary commands and manipulate configurations)
- Availability: High (Attacker can cause denial of service or device compromise)
## Remediation
### Patches
- None available. TOTOLINK has reportedly not released any patches as the product is no longer actively maintained.
### Workarounds
- Restrict administrative access to the web management interface to only trusted networks.
- Prevent unauthorized users from accessing the management interface entirely.
- Monitor the device for anomalous activity, specifically the unexpected initiation of the Telnet service (port 23).
- Upgrade to a supported, actively maintained TOTOLINK model.
## Detection
- Indicators of Compromise: Presence of an active, unauthenticated Telnet connection (port 23) on the device, particularly with root privileges.
- Detection methods and tools: Network monitoring to check for listening ports on the appliance; device forensics to check system startup logs for the unexpected initiation of the Telnet daemon following a firmware upload operation.
## References
- Vendor advisories: Details disclosed by CERT/CC (KB ID not fully provided, referenced via CERT/CC advisory).
- Relevant links - defanged:
- Vendor Download Page (Last Firmware Update): hxxps://www.totolink.net/home/menu/detail/menu_listtpl/download/id/144/ids/36.html
- CERT/CC Advisory Source: (Inferred reference to CERT/CC's bulletin)