CERT/CC disclosed an unpatched flaw in the TOTOLINK EX200 that allows a remote authenticated attacker to fully compromise the device.
CERT/CC warns of an unpatched vulnerability, tracked as CVE-2025-65606, in the TOTOLINK EX200 range extender that lets a remote authenticated attacker fully take over the device.
The TOTOLINK EX200 is a compact Wi-Fi range extender designed to boost wireless coverage in homes or small offices. It connects to an existing router and rebroadcasts the signal to eliminate dead zones, supporting basic security features and simple web-based configuration.
A vulnerability in the end-of-life TOTOLINK EX200 firmware allows a serious security bypass during firmware uploads. When the device processes specially crafted, malformed firmware files, an error in the upload handler can trigger an abnormal state that unintentionally starts a telnet service running as root and without authentication.
The researchers pointed out that the exploitation requires prior access to the web management interface, however, once triggered, the exposed telnet service grants full remote control of the device. The telnet interface is normally disabled and not meant to be accessible, making this behavior particularly dangerous. Tracked as CVE-2025-65606, the flaw effectively turns an authenticated web action into complete system takeover. It could allow attackers to change settings, run arbitrary commands, or maintain persistent access to the network.
“In the End-of-Life (EoL) TOTOLINK EX200 firmware, the firmware-upload handler enters an abnormal error state when processing certain malformed firmware files. When this occurs, the device launches a telnet service running with root privileges and does not require authentication.” reads the CERT/CC’s advisory. “Because the telnet interface is normally disabled and not intended to be exposed, this behavior creates an unintended remote administration interface.”
TOTOLINK has not patched the flaw and no longer supports the device, so users should limit admin access, watch for telnet activity, and replace the extender.
The researcher Leandro Kogan reported the vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-65606)
