SANS Stormcast Wednesday, January 7th, 2026: Tailsnitch Review; D-Link DSL EoL Vuln; TOTOLINK Unpatched Vuln

Johannes Ulrich’s latest Stormcast episode spotlights Tailsnitch, an open‑source Go binary designed to audit Tailscale VPN configurations. The tool scans for common missteps such as outdated client versions, improperly set auto‑updates, and non‑expiring access tokens, then assigns severity levels that remain grounded in real risk. Listeners learn that Tailsnitch can run in a read‑only detection mode or invoke an automatic fix—though the latter is cautioned for larger networks. By surfacing these issues early, administrators can tighten zero‑trust boundaries and keep their Tailscale mesh both performant and secure.

The show then shifts to legacy DSL modems that have been out of support since 2013. A newly disclosed code‑execution flaw resides in the dnscfg.cgi script, allowing unauthenticated attackers to inject OS commands and hijack DNS settings. Because the devices are effectively abandoned, patches are unavailable, forcing organizations to replace the hardware or, where feasible, flash community‑maintained firmware such as OpenWRT. Ulrich emphasizes that lingering legacy equipment represents a silent attack surface, especially when it continues to serve critical broadband connections.

Finally, Ulrich examines the TOTOLINK EX200 extender, which suffers from a firmware‑update bug that can inadvertently launch an unauthenticated Telnet service. The behavior appears to be a fail‑safe intended for manual recovery, but it opens a backdoor that can be exploited with a simple port scan. No official patch exists, and the last firmware release dates back to 2023, effectively marking the product as end‑of‑life. Security teams are urged to inventory such devices, disable stray Telnet ports, and consider replacement to eliminate this lingering vulnerability.