Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
AnalysisAI
Incorrect privilege assignment in the vsftpd service of TOTOLINK EX200 firmware 4.0.3c.7646 (B20201211) permits remote unauthenticated attackers to perform unauthorized write operations against the device over the network. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special attack preconditions, making this broadly reachable. Publicly available exploit code exists (E:P per CVSS supplemental metrics and confirmed in description); no active exploitation via CISA KEV has been identified at time of analysis.
Technical ContextAI
The affected component is vsftpd (Very Secure FTP Daemon), a common FTP server embedded in consumer and SOHO networking devices. The misconfiguration resides in /etc/vsftpd.conf on the TOTOLINK EX200, a Wi-Fi range extender/repeater. CWE-266 (Incorrect Privilege Assignment) indicates the root cause is that the vsftpd process or its configuration grants file system permissions beyond what the FTP service role requires - a classic principle-of-least-privilege failure. In embedded router firmware this commonly manifests as the FTP daemon running with elevated system privileges or with writable access to sensitive paths, enabling an attacker to leverage the FTP interface to manipulate device files. No CPE strings were provided in the source data; the affected firmware identifier is 4.0.3c.7646 / B20201211.
RemediationAI
No vendor-released patch has been identified at time of analysis - the references point only to VulDB entries and a Notion-hosted researcher write-up, with no TOTOLINK security advisory or firmware update URL present. Administrators should check https://www.totolink.net/ for a firmware update addressing this issue. As a compensating control, disable or block access to the FTP service on the EX200 at the network perimeter - restricting TCP port 21 inbound at the upstream router will prevent remote exploitation, though this removes FTP-based management capability. If FTP is required, restrict access to trusted IP addresses only via firewall ACLs. Placing the device behind a NAT boundary with no port forwarding for port 21 limits exposure to the local network, substantially reducing attack surface. Note that firmware-level mitigations require vendor action; network-level controls are not a permanent fix.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35295
GHSA-37p7-4997-v5p5