Login Sign Up

CVE-2025-28032

7.3 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a pre-authentication buffer overflow vulnerability in multiple TOTOLINK router models. Attackers can exploit this by sending specially crafted requests to the setNoticeCfg function via the IpForm parameter without authentication, potentially allowing remote code execution. All users running the specified vulnerable firmware versions on affected TOTOLINK router models are at risk.

💻 Affected Systems

Products:
  • TOTOLINK A800R
  • TOTOLINK A810R
  • TOTOLINK A830R
  • TOTOLINK A950RG
  • TOTOLINK A3000RU
  • TOTOLINK A3100R
Versions: V4.1.2cu.5137_B20200730, V4.1.2cu.5182_B20201026, V4.1.2cu.5182_B20201102, V4.1.2cu.5161_B20200903, V5.9c.5185_B20201128, V4.1.2cu.5247_B20211129
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable as this is a pre-authentication vulnerability in the web interface.

📦 What is this software?

A3000ru Firmware by Totolink

View all CVEs affecting A3000ru Firmware →

A3100r Firmware by Totolink

View all CVEs affecting A3100r Firmware →

A800r Firmware by Totolink

View all CVEs affecting A800r Firmware →

A810r Firmware by Totolink

View all CVEs affecting A810r Firmware →

A830r Firmware by Totolink

View all CVEs affecting A830r Firmware →

A950rg Firmware by Totolink

View all CVEs affecting A950rg Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, persistence establishment, network pivoting, and data exfiltration.

🟠

Likely Case

Device crash/reboot causing denial of service, or limited code execution allowing configuration changes and network monitoring.

🟢

If Mitigated

Denial of service only if exploit attempts are blocked, with no code execution due to memory protections.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability requires no authentication and has public proof-of-concept available, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download appropriate firmware for your model. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload new firmware file. 6. Wait for reboot and verify version.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router web interface by disabling remote administration.

Network Segmentation

all

Isolate affected routers in separate VLANs with strict firewall rules.

🧯 If You Can't Patch

  • Replace affected routers with different models from vendors with better security track records
  • Implement strict network access controls to limit traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via admin interface and compare with affected versions list.

Check Version:

Login to router web interface and check System Status or Firmware Upgrade section.

Verify Fix Applied:

Verify firmware version has been updated to a version not listed in affected versions.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed HTTP POST requests to setNoticeCfg endpoint
  • Unusual traffic patterns to router management interface
  • Router reboot/crash logs

Network Indicators:

  • HTTP POST requests with unusually long IpForm parameter values
  • Traffic to router web interface from unexpected sources

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/setNoticeCfg" OR uri="*/setNoticeCfg") AND method="POST" AND size>1000

📊 Metadata

CVE ID: CVE-2025-28032
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-121
EPSS Score: 0.2% exploit probability (42.2th percentile)
Published: April 22, 2025
Last Updated: April 29, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28032, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)