Skip to main content

TOTOLINK EX200 CVE-2026-11620

| EUVDEUVD-2026-35295 MEDIUM
Incorrect Privilege Assignment (CWE-266)
2026-06-09 cna@vuldb.com GHSA-37p7-4997-v5p5
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 03:32 vuln.today

DescriptionCVE.org

A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

AnalysisAI

Incorrect privilege assignment in the vsftpd service of TOTOLINK EX200 firmware 4.0.3c.7646 (B20201211) permits remote unauthenticated attackers to perform unauthorized write operations against the device over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack preconditions, making this broadly reachable. Publicly available exploit code exists (E:P per CVSS supplemental metrics and confirmed in description); no active exploitation via CISA KEV has been identified at time of analysis.

Technical ContextAI

The affected component is vsftpd (Very Secure FTP Daemon), a common FTP server embedded in consumer and SOHO networking devices. The misconfiguration resides in /etc/vsftpd.conf on the TOTOLINK EX200, a Wi-Fi range extender/repeater. CWE-266 (Incorrect Privilege Assignment) indicates the root cause is that the vsftpd process or its configuration grants file system permissions beyond what the FTP service role requires - a classic principle-of-least-privilege failure. In embedded router firmware this commonly manifests as the FTP daemon running with elevated system privileges or with writable access to sensitive paths, enabling an attacker to leverage the FTP interface to manipulate device files. No CPE strings were provided in the source data; the affected firmware identifier is 4.0.3c.7646 / B20201211.

RemediationAI

No vendor-released patch has been identified at time of analysis - the references point only to VulDB entries and a Notion-hosted researcher write-up, with no TOTOLINK security advisory or firmware update URL present. Administrators should check https://www.totolink.net/ for a firmware update addressing this issue. As a compensating control, disable or block access to the FTP service on the EX200 at the network perimeter - restricting TCP port 21 inbound at the upstream router will prevent remote exploitation, though this removes FTP-based management capability. If FTP is required, restrict access to trusted IP addresses only via firewall ACLs. Placing the device behind a NAT boundary with no port forwarding for port 21 limits exposure to the local network, substantially reducing attack surface. Note that firmware-level mitigations require vendor action; network-level controls are not a permanent fix.

Share

CVE-2026-11620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy