CISA alerts on TOTOLINK AX1800 unauthenticated telnet flaw

TOTOLINK AX1800 routers, including the X5000R model, contain a web-management flaw that can be triggered without authentication and may enable telnet, potentially permitting remote code execution with root-level privileges.

The vulnerability is tracked as CVE-2025-13184 and arises from missing authentication at the /cgi-bin/cstecgi.cgi?action=telnet endpoint; an unauthenticated Hypertext Transfer Protocol (HTTP) request to that endpoint may result in arbitrary command execution at the administrative level.

Reported impacts include full access to configuration and filesystems, with that level of access enabling modification of routing, including Domain Name System (DNS) routing, interception of traffic, and lateral movement across the Local Area Network (LAN). There is a potential for wide area (WAN) network access if router management or telnet becomes externally reachable.

The CERT/CC indicates it is currently unaware of a practical solution to this problem, and states that a firmware update is necessary for complete remediation.

Guidance in the advisory advises ensuring the web management interface is not exposed to the Wide Area Network (WAN) or any untrusted network and restricting administrative interface access to trusted management hosts only; treating the X5000R router as untrusted from a security boundary point of view and, where possible, placing it behind a separate firewall or router and avoiding its use as the primary edge device; and blocking or monitoring unexpected traffic to telnet (TCP port 23) on the device, noting that the sudden appearance of an open telnet service on the router is a strong indicator of exploitation.