Overview
A flaw in the firmware-upload error-handling logic of the TOTOLINK EX200 extender can cause the device to unintentionally start an unauthenticated root-level telnet service. This condition may allow a remote authenticated attacker to gain full system access.
Description
In the End-of-Life (EoL) TOTOLINK EX200 firmware, the firmware-upload handler enters an abnormal error state when processing certain malformed firmware files. When this occurs, the device launches a telnet service running with root privileges and does not require authentication. Because the telnet interface is normally disabled and not intended to be exposed, this behavior creates an unintended remote administration interface.
To exploit this vulnerability, an attacker must already be authenticated to the web management interface to access the firmware-upload functionality. Once the error condition is triggered, the resulting unauthenticated telnet service provides full control of the device.
CVE-2025-65606
An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.
Impact
A remote authenticated attacker may be able to activate a root telnet service and subsequently take complete control of the device. This may lead to configuration manipulation, arbitrary command execution, or establishing a persistent foothold on the network.
Solution
TOTOLINK has not released an update addressing this issue, and the product is no longer maintained. Users should restrict administrative access to trusted networks, prevent untrusted users from accessing the management interface, monitor for unexpected telnet activity, and plan to replace the vulnerable device.
Acknowledgements
Thanks to the reporter Leandro Kogan for bringing this to our attention. This document was written by Timur Snoke.

Overview
A vulnerability in the Forcepoint One DLP Client allows bypass of the vendor-implemented Python restrictions designed to prevent arbitrary code execution. By reconstructing the ctypes FFI environment and applying a version-header patch to the ctypes.pyd module, an attacker can restore ctypes functionality within the bundled Python 2.5.4 runtime, enabling direct invocation of DLLs, memory manipulation, and execution of arbitrary code.
Description
The Forcepoint One DLP Client (version 23.04.5642 and potentially subsequent versions) shipped with a constrained Python 2.5.4 runtime that omitted the ctypes foreign function interface (FFI) library. Although this limitation appeared intended to mitigate malicious use, it was demonstrated that the restriction could be bypassed by transferring compiled ctypes dependencies from another system and applying a version-header patch to the ctypes.pyd module. Once patched and correctly positioned on the search path, the previously restrained Python environment would successfully load ctypes, permitting execution of arbitrary shellcode or DLL-based payloads.
Forcepoint acknowledged the issue and indicated that a fix would be included in an upcoming release. According to the Forcepoint’s published knowledge base article (KB 000042256), the vulnerable Python runtime has been removed from Forcepoint One Endpoint (F1E) builds after version 23.11 associated with Forcepoint DLP v10.2.
Impact
Arbitrary code execution within the DLP client may allow an attacker to interfere with or bypass data loss prevention enforcement, alter client behavior, or disable security monitoring functions. Because the client operates as a security control on enterprise endpoints, exploitation may reduce the effectiveness of DLP protections and weaken overall system security.
The complete scope of impact in enterprise environments has not been fully determined.
Solution
Forcepoint reports that the vulnerable Python runtime has been removed in Endpoint builds after version 23.11 (Forcepoint DLP v10.2).
Users should upgrade to Endpoint versions which have been validated to no longer contain python.exe.
Acknowledgements
Thanks to the reporter, Keith Lee.
This document was written by Timur Snoke.

Overview
A newly identified vulnerability in some UEFI-supported motherboard models leaves systems vulnerable to early-boot DMA attacks across architectures that implement UEFI and IOMMU. Although the firmware indicates that DMA protection is active, it fails to correctly initialize the IOMMU. Therefore, a malicious PCIe device with physical access can read or modify system memory before the operating system’s defenses load. This exposes sensitive data and enables pre-boot code injection on affected systems running unpatched firmware.
Description
Modern systems rely on UEFI firmware and the Input–Output Memory Management Unit (IOMMU) to establish a secure foundation before the operating system loads. UEFI initializes hardware and enforces early security policies while the IOMMU restricts peripheral devices from performing unauthorized memory accesses. Together, these components help ensure that direct memory access (DMA)-capable devices cannot tamper with or inspect system memory during the critical pre-boot phase.
A vulnerability discovered in certain UEFI implementations arises from a discrepancy between reported and actual DMA protection. Even though firmware asserts that DMA protections are active, it fails to properly configure and enable the IOMMU during the early hand-off phase in the boot sequence. This gap allows a malicious DMA-capable Peripheral Component Interconnect Express (PCIe) device with physical access to read or modify system memory before operating system-level safeguards are established. As a result, attackers could potentially access sensitive data in memory or influence the initial state of the system, thus undermining the integrity of the boot process.
Vendors whose products are affected have begun releasing firmware updates to correct the IOMMU initialization sequence and properly enforce DMA protections throughout boot. Users and administrators should apply these updates as soon as they become available to ensure their systems are not exposed to this class of pre-boot DMA attacks. In environments where physical access cannot be fully controlled or relied on, prompt patching and adherence to hardware security best practices are especially important. Because the IOMMU also plays a foundational role in isolation and trust delegation in virtualized and cloud environments, this flaw highlights the importance of ensuring correct firmware configuration even on systems not typically used in data centers.
Impact
Improper IOMMU initialization in UEFI firmware on some UEFI-based motherboards from multiple vendors allows a physically present attacker using a DMA-capable PCIe device to bypass early-boot memory protection. The attacker could access or alter system memory via DMA transactions processed before the operating system enables its security controls.
Solution
Users and administrators should apply the latest firmware updates as soon as they become available as these patches correct the IOMMU initialization issue and restore proper DMA protections during early boot. Because multiple vendors are affected and updates are being released on varying timelines, customers should regularly monitor the Vendor Information section for newly published advisories and updated firmware packages. Environments where physical access is difficult to control should prioritize patching promptly to reduce exposure to pre-boot DMA attacks.
Acknowledgements
Thanks to reporter Nick Peterson and Mohamed Al-Sharifi of Riot Games for identifying this issue and working with vendor teams and the Taiwanese CERT to coordinate the response and reach affected product vendors. This document was written by Vijay Sarvepalli.