CISA issues advisory on TOTOLINK EX200 unauthenticated root telnet

TOTOLINK EX200 wireless extenders running the End-of-Life (EoL) firmware contain a flaw in the firmware-upload error-handling logic that can result in the device launching an unauthenticated root-level telnet service, which may allow a remote authenticated attacker to obtain full system access.

The issue affects the End-of-Life (EoL) TOTOLINK EX200 firmware and involves the firmware-upload handler entering an abnormal error state when processing certain malformed firmware files. When this error state occurs, the device launches a telnet service running with root privileges and that does not require authentication; the telnet interface is normally disabled and not intended to be exposed. Exploitation requires an attacker to be authenticated to the web management interface to reach the firmware-upload functionality, and once the error condition is triggered the unauthenticated telnet service provides full control of the device. The vulnerability is cataloged as CVE-2025-65606 and, as described, an authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.

A remote authenticated attacker may be able to activate a root telnet service and subsequently take complete control of the device. This may lead to configuration manipulation, arbitrary command execution, or establishing a persistent foothold on the network.

The vendor, TOTOLINK, has not released an update addressing this issue, and the product is no longer maintained.

The advisory recommends restricting administrative access to trusted networks, preventing untrusted users from accessing the management interface, monitoring for unexpected telnet activity, and planning to replace the vulnerable device.