A newly disclosed security flaw affecting the TOTOLINK EX200 wireless range extender can allow attackers to gain full control of the device by triggering an unintended root-level telnet service. The vulnerability remains unpatched, and the affected product is no longer actively maintained by the vendor.
The issue was published by the CERT Coordination Center (CERT/CC) and assigned CVE-2025-65606. According to the advisory, the flaw exists in the firmware-upload error-handling logic of the TOTOLINK EX200, where certain malformed firmware files can cause the device to enter an abnormal state and expose a telnet service running with root privileges.
Under normal conditions, telnet access is disabled on the TOTOLINK EX200 and is not intended to be reachable by users or administrators. However, CERT/CC explains that when the firmware-upload handler encounters a specific error condition, the device inadvertently launches a telnet daemon that does not require authentication. Once activated, the service provides unrestricted root access to the underlying operating system.
To exploit the vulnerability, an attacker must first be authenticated to the web-based management interface in order to access the firmware-upload functionality. While this requirement limits exposure to some degree, successful exploitation immediately removes all remaining access controls, effectively handing full system control to the attacker.
CERT/CC noted that the vulnerable firmware is present in an end-of-life product and that no security updates have been released to address the issue. TOTOLINK’s own documentation shows that the EX200 firmware was last updated in February 2023, and earlier firmware versions date back several years.
The impact of exploitation can be severe. An attacker with root access can modify device configurations, execute arbitrary commands, implant persistent backdoors, or use the compromised extender as a foothold to move laterally within the network. Because range extenders often sit inside trusted internal networks, compromise could also enable surveillance or interception of network traffic.
The vulnerability was discovered and responsibly disclosed by security researcher Leandro Kogan, with CERT/CC coordinating publication of the advisory. The vulnerability note confirms that the issue affects the firmware-upload handler logic and is not tied to a specific firmware version, suggesting the flaw may be architectural in nature.
In the absence of a patch, CERT/CC recommends that users restrict access to the TOTOLINK EX200’s administrative interface to trusted networks only, monitor for unexpected telnet activity, and prevent untrusted users from interacting with the device. Given the product’s end-of-life status, users are strongly advised to replace the TOTOLINK EX200 with a supported model that continues to receive security updates.
For more reporting on state-backed intrusion campaigns and critical infrastructure targeting, explore the latest updates in the data breaches and cybersecurity sections.
