MEDIUM 4.3

CVE-2026-11494: TOTOLINK AC1200 T8 Privilege Escalation in vsftpd Configuration

A privilege escalation vulnerability has been discovered in TOTOLIK AC1200 T8 running firmware version 4.1.5cu.8611. The flaw resides in the vsftpd (Very Secure FTP Daemon) configuration file and allows an authenticated attacker to modify settings in a way that violates the principle of least privilege. While the vulnerability requires valid login credentials to exploit, successful attacks could lead to unauthorized configuration changes that broaden attacker capabilities on the device. Public disclosure of this issue means exploitation techniques are available in the wild.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-266, CWE-272
Affected products
0 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in TOTOLINK AC1200 T8 4.1.5cu.8611. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation leads to least privilege violation. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11494 is an improper privilege management vulnerability affecting the vsftpd service configuration on TOTOLINK AC1200 T8 routers running firmware 4.1.5cu.8611. The vulnerability stems from insufficient access controls on the /etc/vsftpd.conf file, enabling authenticated users to manipulate FTP daemon settings beyond their intended authorization level. This maps to CWE-266 (Incorrect Privilege Assignment) and CWE-272 (Improper Privilege Management), indicating that the application fails to properly enforce permission boundaries. The attack vector is network-based and requires valid credentials, but the barrier to exploitation is low once access is obtained. The CVSS 3.1 score of 4.3 reflects a medium-severity issue with integrity impact but no confidentiality or availability risk in the base case.

Business impact

For organizations deploying TOTOLINK AC1200 T8 routers in branch offices, remote sites, or network perimeter roles, this vulnerability introduces an insider risk and lateral movement concern. An employee with basic device access or a compromised low-privileged account could reconfigure FTP settings to enable unauthorized data exfiltration, weaken authentication, or establish persistence. The integrity impact is the primary concern: attackers could alter legitimate FTP configurations, potentially disrupting secure file transfer operations or creating covert channels. While the CVSS score is moderate, the practical risk depends on whether your environment relies on TOTOLINK devices in security-sensitive roles and the trust model governing who has legitimate access to these systems.

Affected systems

TOTOLINK AC1200 T8 routers running firmware version 4.1.5cu.8611 are confirmed vulnerable. The advisory does not specify whether earlier or later firmware versions are affected; vendors and product variants are not documented in the source data. Organizations should assume that other TOTOLINK T8 firmware revisions may be similarly vulnerable until vendor testing clarifies the scope. Devices deployed as wireless access points, gateway routers, or in remote management scenarios warrant immediate attention.

Exploitability

This vulnerability is rated as publicly disclosed with available exploitation methods. Exploitation requires network access to the device and valid authentication credentials—a typical credential set might be default factory credentials or stolen user passwords. An attacker must directly interact with the affected configuration file, which suggests either SSH/console access or an exposed management interface. The low complexity (AC:L) indicates that standard exploitation tools and techniques suffice; no advanced skill is required once access is gained. The threat level is elevated by public disclosure; adversaries can reference published details to streamline attacks.

Remediation

Immediate steps should include: (1) Verify your inventory of TOTOLINK AC1200 T8 devices and identify those running firmware 4.1.5cu.8611; (2) Check the TOTOLINK vendor website and product support portal for a patched firmware release addressing CVE-2026-11494; (3) Prioritize patching devices in high-trust network zones or those with broad user access; (4) As an interim control, restrict network access to device management interfaces and enforce strong authentication; (5) Audit the /etc/vsftpd.conf file on vulnerable devices for any unauthorized modifications. Test patches in a lab environment before wide deployment to ensure compatibility with your network setup.

Patch guidance

Consult the official TOTOLINK support channel and security advisories for the corrected firmware version applicable to AC1200 T8. The source data does not specify a patch version number; verify against the vendor advisory before deployment. Firmware updates for TOTOLINK devices typically require device reboot, so schedule patching during a maintenance window. Confirm that the patch version explicitly addresses CVE-2026-11494 and does not introduce new regressions. If no patch is available, evaluate whether to replace the affected devices or implement compensating network-layer controls (e.g., firewall rules restricting access to FTP services).

Detection guidance

Monitor for suspicious modifications to /etc/vsftpd.conf on affected devices using file integrity monitoring (FIM) tools or SIEM log aggregation. Log and alert on authentication events to the device's management interface, paying special attention to failed login attempts or successful logins from unexpected IP ranges. If TOTOLINK devices export syslog, search for FTP daemon errors, permission denials, or configuration reload events. Review network traffic for unusual FTP activity (e.g., connections to unexpected external hosts or non-standard ports). Anomalous configuration restarts or rapid successive access attempts may also signal exploitation.

Why prioritize this

This vulnerability merits urgent but measured attention. The CVSS score of 4.3 places it in the medium severity band, but the presence of public exploit code and the low complexity of exploitation justify prioritization above baseline patch cycles. The integrity impact—unauthorized configuration changes—can enable follow-on attacks or data theft. Prioritize patching if your TOTOLINK devices are (a) used in production networks handling sensitive data, (b) accessible to untrusted users, or (c) deployed in roles that provide network perimeter access. Lower-risk deployments (e.g., non-critical guest networks with restricted device access) may defer patching pending vendor clarity on other affected versions.

Risk score, explained

The CVSS 3.1 base score of 4.3 (Medium) reflects: attack vector = network (AV:N), attack complexity = low (AC:L), privileges required = low (PR:L), user interaction = none (UI:N), scope = unchanged (S:U), confidentiality = none (C:N), integrity = low (I:L), availability = none (A:N). This means the attack is easy to execute from the network for a low-privileged user, with no clickable prompts or system-level changes needed, but damage is limited to partial data integrity. The public disclosure status (KEV = false but exploit code is known) does not alter the base score but increases real-world risk. Your environment-specific score may be higher if TOTOLINK devices manage critical functions or hold privileged network roles.

Frequently asked questions

Can this vulnerability be exploited without valid device credentials?

No. The CVSS vector indicates PR:L (low privileges required), meaning a user must already have some level of legitimate access to the device. However, 'low privileges' includes default credentials or common passwords, so if factory defaults are unchanged or weak credentials are in use, the practical barrier is minimal.

Does this vulnerability affect all TOTOLINK AC1200 models, or just the T8?

The advisory specifically names AC1200 T8 firmware 4.1.5cu.8611. Other TOTOLINK models and firmware revisions are not explicitly mentioned in the source data. Contact TOTOLINK support to determine whether your specific model or firmware is affected or whether a patched version exists.

What should we do if TOTOLINK has not released a patch?

Implement network segmentation to restrict administrative access to affected devices, enforce strong authentication (disable default credentials), and monitor configuration files for unauthorized changes. Evaluate the risk of replacing the device with a patched alternative. If the device is not critical to operations, consider decommissioning it pending vendor remediation.

Is this vulnerability actively being exploited in the wild?

The advisory states that exploit code has been publicly disclosed and 'may be used.' This does not confirm active attacks on your infrastructure, but it does mean that adversaries have documented exploitation techniques readily available. Monitor your networks and device logs for signs of suspicious activity targeting these systems.

This analysis is provided for informational purposes and should not be considered legal or professional security advice. Organizations are responsible for independently validating the applicability of this vulnerability to their systems and implementing appropriate remediation measures. Patch information and version details should be verified against official vendor advisories before deployment. SEC.co does not assume liability for actions taken based on this analysis. Consult your organization's security policies and vendor documentation for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).