CVE-2025-44655 is a critical vulnerability affecting specific TOTOLink router models: A7100RU V7.4, A950RG V5.9, and T10 V5.9. The root cause lies in the configuration of the vsftpd (Very Secure FTP Daemon) service, where the chroot_local_user option is enabled in the vsftpd.conf file. While chrooting users is generally intended to restrict FTP users to their home directories, misconfiguration or improper implementation can lead to security issues. In this case, enabling chroot_local_user without proper safeguards allows unauthorized users to escape the restricted environment, potentially gaining access to system files outside their designated directories. This can lead to privilege escalation, where an attacker gains higher-level permissions on the device, and also enables the compromised router to be used as a pivot point for further attacks within the internal network. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with attack vector as network (remote exploitation), low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the potential for exploitation is significant given the nature of the vulnerability and the critical role routers play in network infrastructure. The CWE-266 classification points to improper access control, emphasizing the risk of unauthorized privilege escalation due to configuration errors. Since the affected devices are consumer and small office/home office (SOHO) routers, exploitation could allow attackers to intercept, manipulate, or disrupt network traffic, compromise connected devices, and establish persistent footholds within targeted networks.

For European organizations, this vulnerability poses a substantial risk, especially for small and medium-sized enterprises (SMEs) and home offices relying on TOTOLink routers. Exploitation could lead to unauthorized access to sensitive internal systems, data leakage, and disruption of business operations. The ability to escalate privileges and pivot internally means attackers could move laterally within corporate networks, potentially reaching critical assets and data repositories. Given the critical CVSS score and the network-exploitable nature, attackers could remotely compromise vulnerable routers without authentication or user interaction, making widespread attacks feasible. This risk is heightened in environments with limited network segmentation or outdated security monitoring. Additionally, compromised routers could be leveraged in botnets or for launching distributed denial-of-service (DDoS) attacks, impacting broader internet infrastructure and service availability. The confidentiality, integrity, and availability of organizational data and services are all at risk, potentially leading to regulatory compliance issues under GDPR if personal data is exposed or disrupted.

1. Immediate firmware updates: Organizations should verify if TOTOLink has released patches or updated firmware addressing this vulnerability and apply them promptly. 2. Configuration review: Administrators should audit the vsftpd.conf file on affected devices to disable or correctly configure the chroot_local_user option, ensuring users cannot escape their restricted directories. 3. Network segmentation: Isolate vulnerable routers from critical internal networks to limit lateral movement if compromised. 4. Access controls: Restrict FTP service exposure to trusted networks only, preferably disabling FTP if not required or replacing it with more secure file transfer methods (e.g., SFTP). 5. Monitoring and detection: Implement network monitoring to detect unusual FTP traffic or signs of exploitation attempts, including unexpected privilege escalations or lateral movement. 6. Incident response readiness: Prepare response plans for potential exploitation scenarios, including device isolation and forensic analysis. 7. Vendor engagement: Engage with TOTOLink support channels for guidance and to request security advisories or patches. 8. User awareness: Educate users about the risks of connecting to compromised routers and encourage reporting of unusual network behavior.