The CERT Coordination Center has issued a warning about a critical security flaw affecting the discontinued Totolink EX200 wireless range extender. The vulnerability, tracked as CVE-2025-65606, can allow attackers to gain full control of affected devices by triggering an unintended Telnet service that runs with root privileges and requires no authentication.

Because the device is no longer supported and no patch is available, affected users face a permanent risk unless mitigations or device replacement are implemented. While exploitation requires initial authenticated access to the web interface, the resulting impact is severe and persistent.

Consumer and small-office networking devices are frequent targets for attackers due to long deployment lifecycles, weak default configurations, and limited update support. When such devices reach end-of-life, newly discovered vulnerabilities often remain permanently unpatched, turning them into long-term security liabilities.

Range extenders are particularly sensitive because they sit inside trusted networks, often with broad visibility into local traffic and connected systems.

CERT/CC disclosed that a flaw exists in the firmware-upload handling logic of the Totolink EX200. When the device processes a malformed firmware file, it enters an abnormal error state that unintentionally launches a Telnet service.

This Telnet service is not normally enabled, is undocumented, and is not protected by authentication. Once activated, it provides attackers with unrestricted root-level access to the device’s operating system.

The vulnerability was reported by security researcher Leandro Kogan and affects all known firmware versions of the EX200.

The issue resides in error-handling logic tied to the firmware upload mechanism.

Key technical details include:

While attackers must first authenticate to the web management interface to trigger the bug, once the Telnet service is active, any remote user can connect and gain full system control.

Because the Telnet interface is not intended to be exposed under any circumstances, CERT/CC describes this as an unintended remote administration interface.

Successful exploitation gives attackers complete control over the extender.

From this position, an attacker can modify network configurations, intercept or manipulate traffic, execute arbitrary commands, and potentially pivot deeper into the local network. In environments where the extender bridges trusted segments, this could enable broader compromise beyond the device itself.

The lack of a vendor patch significantly increases long-term risk.

This vulnerability underscores the hidden dangers of unsupported network infrastructure.

Even when exploitation requires initial access, the presence of an unauthenticated, root-level backdoor dramatically lowers the barrier for follow-on attacks. Over time, such devices become attractive targets for opportunistic scanning and automated exploitation.

For organizations and home users alike, end-of-life hardware represents a silent but growing attack surface.

CERT/CC advises users to restrict administrative access to trusted networks, prevent untrusted users from accessing the management interface, monitor for unexpected Telnet activity, and plan to replace the device entirely.

Given the absence of a fix and the age of the product, replacement is considered the most reliable long-term mitigation.