A CERT/CC advisory said on Jan 6, 2026 that an unpatched firmware flaw, CVE-2025-65606, in the TOTOLINK EX200 wireless range extender can cause the device to start an unauthenticated root telnet service, allowing a remote authenticated attacker full system access.
KEY FACTS
- Incident Firmware flaw CVE-2025-65606 can trigger unauthenticated root telnet
- Affected product TOTOLINK EX200 wireless range extender
- Access required Attacker must be authenticated to the device web management interface
- Vendor status No patch released and product not actively maintained
The firmware-upload error-handling logic can enter an abnormal error state when certain malformed firmware files are processed, causing the device to launch a telnet service with root privileges and without requiring authentication.
Successful exploitation requires access to the firmware-upload function via the management interface, and an attacker who succeeds could manipulate configuration, execute arbitrary commands, or establish persistence.
TOTOLINK web page shows the EX200 firmware was last updated in February 2023. The vendor has not released a patch for the flaw and the product is no longer actively maintained.
In the absence of a vendor fix, users are advised to restrict administrative access to trusted networks, prevent unauthorized access to the management interface, monitor for anomalous activity, and consider upgrading to a supported model.
WHY IT MATTERS
The flaw lets attackers with management interface credentials gain root level access via an unintended telnet service, raising the risk of device takeover on unpatched or unsupported units. Owners should apply network restrictions or replace affected devices.