Totolink Routers: Three vsftpd Least Privilege Vulnerabilities Disclosed
Key findings • Three medium-severity vulnerabilities in Totolink routers disclosed together. • All flaws affect the vsftpd component and relate to least privilege violations. • Exploits f…
Key findings
- Three medium-severity vulnerabilities in Totolink routers disclosed together.
- All flaws affect the vsftpd component and relate to least privilege violations.
- Exploits for all three vulnerabilities have been publicly disclosed.
- Affected models include Totolink EX200, CP450, and AC1200 T8.
- Vulnerabilities stem from manipulation of the /etc/vsftpd.conf file.
On June 8th and 9th, 2026, a cluster of three medium-severity vulnerabilities affecting the vsftpd component in several Totolink router models was disclosed. These vulnerabilities, all related to least privilege violations and remotely exploitable, were published within a 20-hour window, indicating a coordinated disclosure event. The common theme across these flaws is the manipulation of the /etc/vsftpd.conf file, allowing attackers to potentially gain elevated privileges.
Two of the vulnerabilities, CVE-2026-11554 and CVE-2026-11494, were disclosed on June 8th. CVE-2026-11554 impacts the TOTOLINK CP450 running firmware version 4.1.0cu.747, while CVE-2026-11494 affects the TOTOLINK AC1200 T8 with firmware version 4.1.5cu.8611. Both are described as least privilege violations stemming from manipulation of the vsftpd configuration file.
The third vulnerability, CVE-2026-11620, was disclosed on June 9th and affects the TOTOLINK EX200 with firmware version 4.0.3c.7646. Similar to the others, this flaw also resides within the vsftpd component and the /etc/vsftpd.conf file, leading to a least privilege violation that can be exploited remotely.
All three vulnerabilities share the characteristic of being remotely exploitable and resulting in a least privilege violation. The descriptions explicitly state that exploits have been publicly disclosed and may be utilized, raising immediate concerns for users of the affected Totolink devices. While the specific impact of these privilege escalations is not detailed, such flaws can often be chained with other vulnerabilities to achieve full system compromise.
Details regarding specific patches or firmware updates that address these vulnerabilities are not immediately available in the disclosure information. However, given the nature of the flaws affecting the vsftpd configuration, users are strongly advised to check for any available firmware updates from Totolink for the affected models: EX200, CP450, and AC1200 T8. Proactive security measures, such as disabling unnecessary services like FTP if not in use, can also serve as a mitigation strategy.
This batch of disclosures highlights a recurring security concern within the vsftpd configuration on these consumer-grade networking devices. The public availability of exploits necessitates prompt attention from users to secure their devices against potential attacks. Further investigation into the precise impact and exploitability of each CVE is recommended for organizations utilizing these Totolink products.