A serious and unpatched security flaw has been disclosed in the TOTOLINK EX200 wireless range extender. The vulnerability, tracked as CVE-2025-65606, allows a remote authenticated attacker to gain full system control by abusing a flaw in the device’s firmware-upload mechanism. The issue was publicly disclosed by the CERT Coordination Center (CERT/CC) on January 6, 2026, and currently has no available fix.
According to CERT/CC, CVE-2025-65606 is rooted in improper error handling within the firmware-upload logic of the TOTOLINK EX200. When the extender processes certain malformed firmware files, the upload handler can enter what CERT/CC described as an “abnormal error state.” This condition causes the device to start a telnet service running with root privileges.
Firmware Upload Error Triggers Root-Level Telnet Access
What makes this behavior especially dangerous is that the telnet service launched under these circumstances does not require authentication. The interface, which is normally disabled and not intended to be exposed, becomes an unintended remote administration channel. CERT/CC summarized the issue clearly, stating: “An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.”
The vulnerability was discovered and responsibly reported by security researcher Leandro Kogan, who was credited by CERT/CC for identifying the flaw. The advisory was authored by Timur Snoke and published as Vulnerability Note VU#295169, with both the original release date and last revision listed as January 6, 2026.
Exploitation Requirements and Potential Impact of CVE-2025-65606
While exploitation of CVE-2025-65606 does require the attacker to already be authenticated to the web management interface of the TOTOLINK EX200, the resulting impact is severe. Access to the firmware-upload functionality is enough to trigger the vulnerability. Once the malformed firmware file is processed and the device enters the abnormal error state, the unauthenticated root-level telnet service becomes available.
From that point forward, an attacker gains unrestricted control of the device. CERT/CC warned that successful exploitation could lead to configuration manipulation, arbitrary command execution, or the establishment of persistent access on the network. Because the TOTOLINK EX200 functions as a network extender, compromise of the device may also enable lateral movement or broader network attacks.
CERT/CC emphasized that the unintended telnet interface increases the attack surface of the device. The advisory notes that this behavior could be leveraged to hijack susceptible devices, allowing attackers to maintain long-term control without relying on the original web authentication mechanism.
No Patch Available as Device Reaches End of Life
One of the most concerning aspects of CVE-2025-65606 is the absence of a vendor-provided fix. CERT/CC confirmed that TOTOLINK has not released any updates addressing the vulnerability, and the TOTOLINK EX200 is no longer actively maintained. Vendor status information was listed as “Unknown,” and the product has reached end-of-life.
Publicly available information shows that the last firmware update for the TOTOLINK EX200 was released in February 2023, nearly three years before the vulnerability was disclosed. As a result, users cannot rely on an official patch to remediate the issue.
In the absence of a fix, CERT/CC recommends several mitigation steps. These include restricting administrative access to trusted networks, preventing unauthorized users from accessing the management interface, and actively monitoring unexpected telnet activity. However, the advisory makes it clear that these measures are temporary protection rather than permanent solutions.
CERT/CC ultimately advises users to plan for replacing the TOTOLINK EX200 with a supported and actively maintained model. Given the severity of CVE-2025-65606 and the lack of ongoing vendor support, continued use of the device poses a sustained security risk.
Additional metadata associated with CVE-2025-65606 shows that the CVE was made public on January 6, 2026, with the first publication and last update occurring the same day at 14:49 UTC. The document revision is listed as version 1.
