What is the main security risk with the TOTOLINK EX200?

A flaw in the firmware upload process allows an attacker to open a telnet service that provides root access without requiring a password.

Is there a patch available for CVE-2025-65606?

No, the manufacturer has not released a patch because the TOTOLINK EX200 is an end-of-life product and is no longer supported.

What does an attacker need to exploit this flaw?

An attacker must first be authenticated to the web management interface to upload the malformed firmware file that triggers the backdoor.

What can an attacker do after exploiting the device?

They can gain full system control, change device settings, run arbitrary commands, and maintain a persistent presence on the network.

How should users protect their networks from this vulnerability?

Users should replace the vulnerable device with a supported model or, at minimum, restrict management access to trusted internal networks only.

Advisory

Unpatched root backdoor found in EoL TOTOLINK EX200 extenders

published: Jan. 7, 2026

Take action: If you are using TOTOLINK EX200, be aware that it can be exploited trivially by anyone with minimal access. Ideally, replace it with another device. If that's not possible, limit the number of authenticated users on the web management, with strong passwords and never expose the management interface to the internet.

Learn More

The CERT Coordination Center (CERT/CC) reports a flaw in the TOTOLINK EX200 Wi-Fi range extender. This device helps boost wireless signals in homes and small offices

The flaw is tracked as CVE-2025-65606 (CVSS score 8.8) firmware-upload error handling that activates an unauthenticated root telnet service, granting full remote control. When a user attempts to upload a malformed or specially crafted firmware file, the system fails to handle the error correctly.

This failure puts the extender into a recovery state that starts a hidden telnet service, that runs root privileges and does not require a username or password.

To exploit this flaw, an attacker must already be logged into the web management interface. While this requires initial credentials, the vulnerability allows a standard user to escalate their power to full system administration.

Because the manufacturer has designated this product as End-of-Life (EoL), it no longer receives security updates or technical support. Since TOTOLINK will not release a patch, the safest move is to stop using the EX200 immediately. If you cannot replace the hardware right away, you block all access to the management interface from the internet.

Unpatched root backdoor found in EoL TOTOLINK EX200 extenders