CVE-2026-11620: TOTOLINK EX200 vsftpd Configuration Integrity Flaw (CVSS 5.3)
TOTOLINK has released a vulnerability in the EX200 router (version 4.0.3c.7646) that allows an attacker to manipulate vsftpd configuration files remotely without authentication, potentially bypassing security restrictions. The flaw resides in how the device handles file permissions or access controls for the FTP service configuration, enabling an unauthenticated attacker over the network to make unauthorized changes that could weaken the router's security posture.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-266, CWE-272
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11620 is a privilege escalation flaw affecting the vsftpd component in TOTOLIK EX200 4.0.3c.7646. The vulnerability exists in the /etc/vsftpd.conf file handling and stems from improper privilege management (CWE-266: Improper Privilege Management; CWE-272: Sensitive Information in Log Files). The issue permits remote, unauthenticated modification of FTP service configuration without user interaction (CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N). This allows attackers to alter FTP daemon settings, potentially downgrading security controls or enabling unintended functionality. Public exploit code is available.
Business impact
Organizations deploying TOTOLINK EX200 routers as network gateways or edge devices face operational and security risks. An attacker could reconfigure the FTP daemon to permit weaker authentication, enable anonymous access, or modify file permissions, facilitating lateral movement, data exfiltration, or persistence mechanisms. While the CVSS score of 5.3 reflects integrity impact without confidentiality loss, the combination of remote exploitability, public proof-of-concept availability, and network-critical device placement elevates practical risk. Businesses relying on these routers should prioritize assessment and remediation to prevent unauthorized network access.
Affected systems
TOTOLINK EX200 routers running firmware version 4.0.3c.7646 are confirmed vulnerable. Organizations should verify whether this specific firmware version is deployed in production environments and check TOTOLIK's advisory for a complete list of affected firmware versions or model variants. Devices in DMZ or directly internet-facing positions present heightened exposure.
Exploitability
The vulnerability is highly exploitable. It requires no authentication (PR:N), no user interaction (UI:N), operates over the network (AV:N), and has low attack complexity (AC:L). Public exploit code is in circulation, lowering the barrier to weaponization. Automated scanning and exploitation attempts are likely already occurring. The absence of a KEV (Known Exploited Vulnerability) entry does not diminish the risk given public exploit availability and the straightforward attack path.
Remediation
Verify and deploy firmware updates from TOTOLIK that patch this vulnerability. Interim mitigation measures include: restricting network access to the EX200 management interface and FTP ports via firewall rules; disabling vsftpd/FTP services if not required for operational needs; and isolating vulnerable devices to trusted network segments. Monitor FTP access logs for suspicious configuration changes or unauthorized access attempts. Test patches in a non-production environment before wide deployment.
Patch guidance
Contact TOTOLIK support or check their security advisory page for the patched firmware version addressing CVE-2026-11620 for the EX200 model. Firmware patches should be applied through the device's web interface or command-line tools according to TOTOLIK's documented procedures. Ensure backups of current configurations are retained before upgrading. Verify successful patch installation by confirming the updated firmware version post-reboot and re-testing access controls.
Detection guidance
Monitor network traffic for unexpected connections to FTP ports (TCP 21) on affected EX200 devices, particularly from untrusted sources. Enable and review syslog or audit logs for modifications to /etc/vsftpd.conf, changes to FTP user permissions, or anomalous vsftpd daemon restarts. Implement network segmentation to baseline FTP traffic patterns and alert on deviations. Intrusion detection/prevention systems should be configured to flag attempts to access or modify the vsftpd configuration file remotely. Log all administrative access to device management interfaces.
Why prioritize this
This vulnerability warrants immediate attention despite its MEDIUM CVSS score due to four factors: (1) Remote unauthenticated exploitability on network-critical infrastructure; (2) Public availability of working exploits, indicating active threat landscape adoption; (3) Impact on device configuration integrity, which can enable secondary attacks; (4) Typical placement of routers in trusted network positions, making compromise a significant stepping stone for lateral movement. Organizations with internet-exposed EX200 routers should treat this as a short-term remediation priority.
Risk score, explained
The CVSS 3.1 score of 5.3 (MEDIUM) reflects the vulnerability's integrity impact without confidentiality or availability loss. However, this understates practical risk in security context: the attack surface (remote, unauthenticated, no interaction) is maximal, and the target (router configuration) is a high-value asset. The public exploit availability and the privilege-escalation nature of the flaw elevate operational risk beyond the numerical score. Organizations should apply additional context—network topology, internet exposure, and business criticality of affected devices—when determining urgency.
Frequently asked questions
Is TOTOLIK EX200 4.0.3c.7646 the only vulnerable firmware version?
No. The referenced firmware is confirmed vulnerable, but other versions may be affected. Consult TOTOLIK's official security advisory for the complete list of vulnerable versions and verify your deployed firmware against it. Avoid assumptions based solely on this CVE entry.
Can an attacker gain shell access or execute arbitrary code via this vulnerability?
This vulnerability is classified as a privilege/configuration integrity issue; the description does not indicate remote code execution or shell access. However, unauthorized modification of vsftpd configuration could enable secondary attacks (e.g., enabling features that expose systems to further exploitation). Treat configuration integrity compromise seriously within your broader threat model.
Do I need to patch immediately if my EX200 is behind a NAT or firewall?
Firewalls do reduce immediate exposure, but they are not a substitute for patching. If your firewall permits any inbound access to the device (e.g., for management, DDNS, or FTP), or if internal users can trigger exploitation, the device remains at risk. Patch as soon as operationally feasible; do not rely solely on perimeter defenses.
How can I tell if my device has been compromised by this vulnerability?
Review vsftpd.conf for unauthorized changes (compare against a known-good backup), check FTP access logs for suspicious logins or configuration modifications, and monitor for unexpected daemon restarts. If you lack local access to logs, consider resetting the device to factory defaults after patching to eliminate any artifacts of compromise, but first isolate it from production traffic.
This analysis is based on the CVE record published on 2026-06-09 and modified 2026-06-17. No patch version numbers, affected product lists, or KEV status are assumed beyond what is explicitly stated in the source data. Organizations must verify all remediation and detection guidance against TOTOLIK's official security advisory and their specific deployment context. SEC.co provides this intelligence for situational awareness; consult your vendor and security team before operational decisions. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11492MEDIUMD-Link DIR-823G Privilege Escalation in vsftpd Configuration
- CVE-2026-11494MEDIUMTOTOLINK AC1200 T8 Privilege Escalation in vsftpd Configuration
- CVE-2026-11497MEDIUMD-Link DCS-5615 Boa Web Server Privilege Escalation Vulnerability
- CVE-2026-11554MEDIUMTOTOLINK CP450 Privilege Escalation via vsftpd Configuration
- CVE-2026-11555LOWD-Link DGS-1100-08PD Privilege Escalation in Web Interface
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass