Unpatched Firmware Flaw Exposes TOTOLINK EX200 to Full Remote Device Takeover

Unpatched Firmware Flaw Exposes TOTOLINK EX200 to Full Remote Device Takeover

Briefly

"The flaw, CVE-2025-65606 (CVSS score: N/A), has been characterized as a flaw in the firmware-upload error-handling logic, which could cause the device to inadvertently start an unauthenticated root-level telnet service. CERT/CC credited Leandro Kogan for discovering and reporting the issue. "An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access," CERT/CC said. Successful exploitation of the flaw requires an attacker to be already authenticated to the web management interface to access the firmware-upload functionality."

"Successful exploitation of the flaw requires an attacker to be already authenticated to the web management interface to access the firmware-upload functionality. CERT/CC said the firmware-upload handler enters an "abnormal error state" when certain malformed firmware files are processed, causing the device to launch a telnet service with root privileges and without requiring any authentication. This unintended remote administration interface could be exploited by the attacker to hijack susceptible devices, leading to configuration manipulation, arbitrary command execution, or persistence."

"According to CERT/CC, TOTOLINK has not released any patches to address the flaw, and the product is said to be no longer actively maintained. TOTOLINK's web page for EX200 shows that the firmware for the product was last updated in February 2023. In the absence of a fix, users of the appliance are advised to restrict administrative access to trusted networks, prevent unauthorized users from accessing the management interface, monitor for anomalous activity, and upgrade to a supported model."