External risk intelligence

TOTOLINK Routers Insecure FTP Configuration Allows Unauthorized Access

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-44655

The affected products are consumer/SOHO networking routers. FTP services on these devices are commonly enabled and exposed to the WAN interface for remote file access or management, making them frequently reachable from the public internet in standard deployment configurations.

Privilege Escalation

Totolink A7100ru Firmware

7.45.9

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in specific TOTOLINK router models that could allow unauthorized access to system files, elevate user privileges, or be used as a launchpad for internal network attacks. The issue stems from a default configuration setting that creates a security weakness, potentially exposing sensitive information and system controls.

  • Unsecured FTP settings enable unauthorized system access.
  • This vulnerability could allow attackers to compromise the network.
  • Confirm if these TOTOLINK routers are in your environment.

Attack Path

How an attacker could exploit the issue

An attacker could reach a vulnerable router over the internet and leverage a misconfiguration in its FTP service. This misconfiguration allows an attacker to gain unauthorized access to sensitive system files, which could then be used to escalate their privileges or move further into a network.

  • Remote network access required.
  • Triggered by connecting to the FTP service.
  • Leads to unauthorized system access.

Live Threat

Current exploitation, exposure, and threat context

When the `chroot_local_user` option is enabled on affected TOTOLINK devices, it could allow an unauthenticated attacker to gain unauthorized access to sensitive system files, potentially leading to further compromise of the device and internal network.

  • Unauthorized access to system files.
  • Via an exposed FTP service.
  • Server may be used as an internal network pivot.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the nature of the affected devices (consumer/SOHO routers), infrastructure or network teams are likely responsible for managing these devices. The initial step is to identify all instances of the affected devices, determine their network exposure and business criticality, and then assign ownership to the appropriate team for remediation planning.

  • Identify affected devices and their owners.
  • Verify network exposure and criticality.
  • Plan remediation based on risk assessment.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What are the TOTOLink A7100RU, A950RG, and T10 routers?

These are consumer and small-office networking routers. They manage internet traffic for homes and small businesses, often providing features like file sharing through built-in FTP services. Because they act as the gateway between your local devices and the wider internet, they are central components for maintaining network connectivity.

How does CVE-2025-44655 create a security weakness?

This vulnerability is classified as CWE-266, which relates to incorrect privilege assignment. In these specific router models, a configuration setting for the FTP service fails to properly restrict user access. This allows someone to reach files and system functions they should not be able to see or control, essentially bypassing standard security boundaries.

What triggers this vulnerability in the router's FTP service?

The vulnerability is triggered by interacting with the device's FTP service when the specific misconfiguration is active. It does not require a user to be logged in with valid credentials, nor does it require complex manipulation of the device. If the FTP service is reachable, the flaw can be leveraged simply by connecting to it.

Is my device at risk if it is not facing the public internet?

Halo Surface Signal notes that these routers frequently have FTP services exposed to the public internet for remote file access, making them primary targets. If your router is restricted to internal use only, it is less reachable by external attackers, though the underlying configuration error remains a security concern for any user who can reach the FTP interface.

What should I do if I manage one of these TOTOLink devices?

Your first step is to locate all instances of these specific models within your network and confirm which ones are currently in use. Once identified, evaluate whether the FTP service is necessary for your daily operations. If it is not required, disabling the service entirely is the most effective way to remove this specific attack path while you plan further updates.