Ddos 
A peculiar and dangerous vulnerability has been uncovered in the TOTOLINK EX200 Wi-Fi extender, one that turns a standard error message into an open door for hackers. A new vulnerability note from CERT/CC details CVE-2025-65606, a flaw where the device reacts to a failed firmware update not by shutting down, but by launching an unauthenticated Telnet service with root privileges.
The vulnerability affects devices that are already End-of-Life (EOL), meaning the manufacturer has ceased support, leaving users with a permanent “zombie” gadget on their networks.
Usually, when a device encounters a corrupted file, it simply rejects it. The TOTOLINK EX200, however, does something far more risky. The flaw resides in the firmware-upload error-handling logic.
“In the End-of-Life (EOL) TOTOLINK EX200 firmware, the firmware-upload handler enters an abnormal error state when processing certain malformed firmware files,” the note explains.
When an attacker forces the device into this state, the extender tries to recover or debug itself in the worst way possible. “When this occurs, the device launches a telnet service running with root privileges and does not require authentication”.
While the vulnerability opens a massive hole, it does require a specific key to unlock. An attacker must first have access to the web management interface to trigger the bug.
“To exploit this vulnerability, an attacker must already be authenticated to the web management interface to access the firmware-upload functionality,” the report notes.
However, once that initial barrier is crossed, the escalation is total. By uploading a malformed file, a standard administrator can elevate themselves to full system owner. “Because the telnet interface is normally disabled and not intended to be exposed, this behavior creates an unintended remote administration interface”.
The most critical aspect of this report is the lack of a safety net. Because the EX200 is no longer maintained, no patch is coming to close this loophole.
“TOTOLINK has not released an update addressing this issue, and the product is no longer maintained,” the note confirms.
CERT/CC advises users to stop using the device if possible. If replacement isn’t an option, they recommend strict network segmentation. “Users should restrict administrative access to trusted networks, prevent untrusted users from accessing the management interface, monitor for unexpected telnet activity, and plan to replace the vulnerable device”.
Related Posts:
- Unpatched TOTOLINK AX1800 Router Flaw Allows Unauthenticated Telnet & Root RCE
- Critical Flaw CVE-2025-52906 (CVSS 9.3) Allows Unauthenticated RCE on TOTOLINK X6000R Routers
- RustoBot Botnet Exploits Router Flaws in Sophisticated Attacks
- 0-Click NTLM Authentication Bypass Hits Microsoft Telnet Server, PoC Releases, No Patch
Donate