Signing code is a critical process for maintaining software integrity and developer trust. On a Windows-based system, Authenticode signing provides assurance after a program or driver has been posted that it has not been modified. Using Microsoft SignTool and a Key Storage Provider (KSP) service such as DigiCert® KeyLocker, executed software, DLLs, and installers can… Read More How to Sign Authenticode Files with SignTool using KSP Library?

The post How to Sign Authenticode Files with SignTool using KSP Library? appeared first on SignMyCode - Resources.

The post How to Sign Authenticode Files with SignTool using KSP Library? appeared first on Security Boulevard.

KINGSTON — The city is planning to celebrate the 10th anniversary of The Tragically Hip’s final concert. Read More

A serious and unpatched security flaw has been disclosed in the TOTOLINK EX200 wireless range extender. The vulnerability, tracked as CVE-2025-65606, allows a remote authenticated attacker to gain full system control by abusing a flaw in the device’s firmware-upload mechanism. The issue was publicly disclosed by the CERT Coordination Center (CERT/CC) on January 6, 2026, and currently has no available fix.  According to CERT/CC, CVE-2025-65606 is rooted in improper error handling within the firmware-upload logic of the TOTOLINK EX200. When the extender processes certain malformed firmware files, the upload handler can enter what CERT/CC described as an “abnormal error state.” This condition causes the device to start a telnet service running with root privileges. 

Firmware Upload Error Triggers Root-Level Telnet Access 

What makes this behavior especially dangerous is that the telnet service launched under these circumstances does not require authentication. The interface, which is normally disabled and not intended to be exposed, becomes an unintended remote administration channel. CERT/CC summarized the issue clearly, stating: “An authenticated attacker can trigger an error condition in the firmware-upload handler that causes the device to start an unauthenticated root telnet service, granting full system access.”  The vulnerability was discovered and responsibly reported by security researcher Leandro Kogan, who was credited by CERT/CC for identifying the flaw. The advisory was authored by Timur Snoke and published as Vulnerability Note VU#295169, with both the original release date and last revision listed as January 6, 2026. 

Exploitation Requirements and Potential Impact of CVE-2025-65606 

While exploitation of CVE-2025-65606 does require the attacker to already be authenticated to the web management interface of the TOTOLINK EX200, the resulting impact is severe. Access to the firmware-upload functionality is enough to trigger the vulnerability. Once the malformed firmware file is processed and the device enters the abnormal error state, the unauthenticated root-level telnet service becomes available.  From that point forward, an attacker gains unrestricted control of the device. CERT/CC warned that successful exploitation could lead to configuration manipulation, arbitrary command execution, or the establishment of persistent access on the network. Because the TOTOLINK EX200 functions as a network extender, compromise of the device may also enable lateral movement or broader network attacks.  CERT/CC emphasized that the unintended telnet interface increases the attack surface of the device. The advisory notes that this behavior could be leveraged to hijack susceptible devices, allowing attackers to maintain long-term control without relying on the original web authentication mechanism. 

No Patch Available as Device Reaches End of Life 

One of the most concerning aspects of CVE-2025-65606 is the absence of a vendor-provided fix. CERT/CC confirmed that TOTOLINK has not released any updates addressing the vulnerability, and the TOTOLINK EX200 is no longer actively maintained. Vendor status information was listed as “Unknown,” and the product has reached end-of-life.  Publicly available information shows that the last firmware update for the TOTOLINK EX200 was released in February 2023, nearly three years before the vulnerability was disclosed. As a result, users cannot rely on an official patch to remediate the issue.  In the absence of a fix, CERT/CC recommends several mitigation steps. These include restricting administrative access to trusted networks, preventing unauthorized users from accessing the management interface, and actively monitoring unexpected telnet activity. However, the advisory makes it clear that these measures are temporary protection rather than permanent solutions.  CERT/CC ultimately advises users to plan for replacing the TOTOLINK EX200 with a supported and actively maintained model. Given the severity of CVE-2025-65606 and the lack of ongoing vendor support, continued use of the device poses a sustained security risk.  Additional metadata associated with CVE-2025-65606 shows that the CVE was made public on January 6, 2026, with the first publication and last update occurring the same day at 14:49 UTC. The document revision is listed as version 1. 

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in Japan since August 2025. The advisory, updated on December 5, 2025, states that attackers have leveraged the flaw to implant web shells and gain unauthorized access to internal networks.  According to JPCERT, the vulnerability originates in the DesktopDirect feature of the AG Series, Array Networks’ remote desktop access capability designed to help users connect securely to office resources. Although the issue was quietly resolved by the vendor on May 11, 2025, the lack of a public CVE identifier and the continued presence of unpatched devices have left a notable attack surface exposed.  “Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” the advisory states. JPCERT added that systems running DesktopDirect are specifically at risk, emphasizing that the feature enablement is a prerequisite for successful exploitation. 

Ongoing Attacks Traced to a Single IP Address 

JPCERT reports that organizations in Japan have experienced intrusions tied to this security gap beginning in August 2025. In these incidents, attackers attempted to plant PHP-based web shells in paths containing “/webapp/,” a technique that would provide persistent remote access.   The agency noted that malicious traffic has consistently originated from the IP address 194.233.100[.]138, though the identity and motivations of the threat actors remain unclear. Details regarding the scope of the campaign, the tools deployed beyond web shells, or whether the attackers represent a known threat group have not yet been released. 

No Evidence Linking to Past Exploits of CVE-2023-28461 

The newly exposed vulnerability exists alongside another previously exploited flaw in the same product line, CVE-2023-28461, a high-severity authentication bypass rated CVSS 9.8. That earlier issue was abused in 2024 by a China-linked espionage group known as MirrorFace, which has targeted Japanese institutions since at least 2019.  Despite the overlap in affected systems, JPCERT emphasized that there is no current evidence connecting the recent command injection attacks with MirrorFace or with prior activity related to CVE-2023-28461. 

Affected Versions and Required Updates 

The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier versions, all of which support the DesktopDirect functionality. Array Networks issued a fixed release, ArrayOS 9.4.5.9, to address the flaw. The company has advised users to test and deploy the updated firmware as soon as possible.  JPCERT cautioned administrators that rebooting devices after applying the patch may lead to log loss. Because log files are crucial to intrusion investigations, the agency recommends preserving these records before performing any update or system reboot. 

Workarounds 

For organizations unable to immediately apply the firmware update, Array Networks has provided temporary mitigation steps: 

• Disable all DesktopDirect services if the feature is not actively in use. 

• Implement URL filtering to block requests containing semicolons (“;”), a common vector used for command injection payloads. 

These measures aim to reduce exposure until patching becomes feasible.  In its advisory, JPCERT urged all users of affected products to examine their systems for signs of compromise. Reported malicious activity includes the installation of web shells, the creation of unauthorized user accounts, and subsequent internal intrusions launched through the compromised AG gateways.