CVE-2025-28028

7.3 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in TOTOLINK routers' downloadFile.cgi component allows attackers to execute arbitrary code by sending specially crafted requests to the v5 parameter. This affects multiple TOTOLINK router models running specific vulnerable firmware versions. Attackers could potentially gain full control of affected devices.

💻 Affected Systems

Products:

• TOTOLINK A830R
• TOTOLINK A950RG
• TOTOLINK A3000RU
• TOTOLINK A3100R

Versions: Specific firmware versions: A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, A3100R V4.1.2cu.5247_B20211129

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web interface's downloadFile.cgi component. Other firmware versions may also be vulnerable but not confirmed.

📦 What is this software?

A3000ru Firmware by Totolink

View all CVEs affecting A3000ru Firmware →

A3100r Firmware by Totolink

View all CVEs affecting A3100r Firmware →

A830r Firmware by Totolink

View all CVEs affecting A830r Firmware →

A950rg Firmware by Totolink

View all CVEs affecting A950rg Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence, lateral movement in network, and data exfiltration.

🟠

Likely Case

Device takeover enabling network reconnaissance, traffic interception, and potential pivot to internal systems.

🟢

If Mitigated

Denial of service or limited impact if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and the exploit appears to be unauthenticated.

🏢 Internal Only: MEDIUM - If routers are not internet-facing but accessible internally, risk remains significant for network compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

References indicate proof-of-concept exists. Buffer overflow vulnerabilities in network devices are commonly weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware for your model. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload and apply new firmware. 6. Reboot router.

🔧 Temporary Workarounds

Disable WAN access to admin interface

all

Prevent external exploitation by disabling remote administration

Copy

Access router admin panel → Security/Remote Management → Disable Remote Management

Network segmentation

all

Isolate routers from critical internal networks

Copy

Configure firewall rules to restrict router access to management VLAN only

🧯 If You Can't Patch

• Replace vulnerable routers with supported models from different vendors
• Implement strict network access controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Copy

Check router firmware version in admin interface and compare with affected versions list

Check Version:

Copy

Access router web interface → System Status/Info → Check Firmware Version

Verify Fix Applied:

Copy

Verify firmware version has been updated to a version not in the affected list

📡 Detection & Monitoring

Log Indicators:

• Multiple failed requests to downloadFile.cgi
• Unusual POST requests with long v5 parameter values
• Router reboot events

Network Indicators:

• HTTP requests to router IP with downloadFile.cgi and large payloads
• Unusual outbound connections from router

SIEM Query:

Copy

source="router_logs" AND (uri="*downloadFile.cgi*" AND (content_length>1000 OR param_length>500))

📊 Metadata

CVE ID: CVE-2025-28028

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-120

EPSS Score: 0.15% exploit probability (35.5th percentile)

Published: April 23, 2025

Last Updated: May 6, 2025

🔗 References

• https://locrian-lightning-dc7.notion.site/BufferOverflow4-1948e5e2b1a280b9809af4db6f9e65d1 Exploit,Third Party Advisory
• https://locrian-lightning-dc7.notion.site/CVE-2025-28028-BufferOverflow4-1948e5e2b1a280b9809af4db6f9e65d1 Exploit,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28028, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)

CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)

CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)