Software Engineering Institute

Overview

A flaw in the firmware-upload error-handling logic of the TOTOLINK EX200 extender can cause the device to unintentionally start an unauthenticated root-level telnet service. This condition may allow a remote authenticated attacker to gain full system access.

Description

In the End-of-Life (EoL) TOTOLINK EX200 firmware, the firmware-upload handler enters an abnormal error state when processing certain malformed firmware files. When this occurs, the device launches a telnet service running with root privileges and does not require authentication. Because the telnet interface is normally disabled and not intended to be exposed, this behavior creates an unintended remote administration interface.

To exploit this vulnerability, an attacker must already be authenticated to the web management interface to access the firmware-upload functionality. Once the error condition is triggered, the resulting unauthenticated telnet service provides full control of the device.

CVE-2025-65606 An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.

Impact

A remote authenticated attacker may be able to activate a root telnet service and subsequently take complete control of the device. This may lead to configuration manipulation, arbitrary command execution, or establishing a persistent foothold on the network.

Solution

TOTOLINK has not released an update addressing this issue, and the product is no longer maintained. Users should restrict administrative access to trusted networks, prevent untrusted users from accessing the management interface, monitor for unexpected telnet activity, and plan to replace the vulnerable device.

Acknowledgements

Thanks to the reporter Leandro Kogan for bringing this to our attention. This document was written by Timur Snoke.

Vendor Information