TOTOLINK EX200 Wireless Range Extender users face critical risk from CVE-2025-65606, an unpatched flaw disclosed by CERT/CC that allows authenticated attackers to trigger an unauthenticated root telnet service for full device control.
Published on January 6, 2026, this vulnerability affects end-of-life firmware with no vendor patch available, urging immediate network isolation or replacement.
Vulnerability Breakdown
The flaw resides in the firmware-upload handler of TOTOLINK EX200, where processing malformed firmware files forces the device into an abnormal error state.
This triggers launch of a root-privileged telnet service (TCP/23) that requires no authentication, exposing full system access including arbitrary command execution and persistent footholds.
Exploitation requires initial web management interface authentication, but converts low-privilege access into complete root takeover.
Technical Impact Highlights:
- Privilege Escalation Path: Authenticated → Unauthenticated Root Telnet → Full RCE
- CVSS Pending: No score assigned yet; severity aligns with remote root access patterns
- Discovery Credit: Leandro Kogan reported to CERT/CC
Affected Systems & Vendor Response
TOTOLINK EX200 range extender firmware, last updated February 2023, is end-of-life (EoL) with no patches released or planned.
CERT/CC confirms TOTOLINK provided no statement, classifying remediation status as “Unknown.”
Exposure Scope: Deployments in home/small office networks remain vulnerable; no known active exploits but high risk due to unauthenticated persistence post-trigger.
CERT/CC Mitigation Strategy
Apply layered controls immediately, as device replacement is the only long-term fix.
- Access Controls
Restrict web admin interface to trusted internal IPs only; disable remote/WAN management entirely. - Monitoring Rules
Alert on unexpected telnet (port 23) activity or firmware-upload anomalies as IoC for compromise. - Network Hygiene
Segment EX200 behind firewalls; use it only for non-critical extension, avoiding security boundary roles. - Lifecycle Action
Migrate to supported alternatives like modern mesh extenders with active security updates.
Broader TOTOLINK Threat Landscape
CERT/CC tracks parallel issues in TOTOLINK lineup, including VU#821724 (X5000R/AX1800) where unauthenticated CGI triggers telnet root access—highlighting systemic firmware weaknesses across models.
Security teams should audit all TOTOLINK deployments via NVD/CVE searches and prioritize EoL hardware retirement.
Stay Vigilant: Follow CISA KEV for prioritization; this fits unpatched router patterns driving supply-chain risks in SMB environments.
Nice information.