Description
A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-06-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the vsftpd configuration file /etc/vsftpd.conf on TOTOLINK EX200 creates a least privilege violation, enabling an attacker to alter the configuration in a way that elevates privileges beyond the intended level. This could permit execution of commands with higher rights, potentially compromising the device entirely.

Affected Systems

The vulnerability afflicts the TOTOLINK EX200 router, specifically firmware version 4.0.3c.7646. It affects the vsftpd component, so any device running this firmware and exposing its FTP service is at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a substantial risk. No EPSS score is available, but the public release of an exploit and confirmation that the attack is remotely launchable raise the likelihood of real‑world exploitation. While the flaw is not listed in the CISA KEV catalog, defenders should treat it with high priority because it can be abused by connecting to the FTP service and modifying the configuration file, assuming the device permits such writes.

Generated by OpenCVE AI on June 9, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device to the latest firmware that fixes the vsftpd.conf privilege issue
  • If a patch is not available, disable or uninstall the FTP service to eliminate the attack surface
  • Ensure that /etc/vsftpd.conf is owned by a privileged user and is not writable by non‑privileged users, enforcing the least privilege principle

Generated by OpenCVE AI on June 9, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Totolink ex200
Vendors & Products Totolink ex200

Tue, 09 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in TOTOLINK EX200 4.0.3c.7646. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation results in least privilege violation. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.
Title TOTOLINK EX200 vsftpd vsftpd.conf least privilege violation
First Time appeared Totolink
Totolink ex200 Firmware
Weaknesses CWE-266
CWE-272
CPEs cpe:2.3:o:totolink:ex200_firmware:*:*:*:*:*:*:*:*
Vendors & Products Totolink
Totolink ex200 Firmware
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Totolink Ex200 Ex200 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-09T16:00:26.436Z

Reserved: 2026-06-08T20:14:12.689Z

Link: CVE-2026-11620

cve-icon Vulnrichment

Updated: 2026-06-09T16:00:23.136Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T03:16:26.043

Modified: 2026-06-09T13:33:34.393

Link: CVE-2026-11620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T04:30:42Z

Weaknesses