CVE-2025-28034 – This CVE describes a pre-authentication remote ... (How to Fix)

Q: What is the severity of CVE-2025-28034?

CVE-2025-28034 has a CVSS score of 9.8 (CRITICAL). This CVE describes a pre-authentication remote command execution vulnerability in multiple TOTOLINK router models. Attackers can execute arbitrary commands on affected devices without authentication by exploiting the NTPSyncWithHost function. All users of the listed TOTOLINK router models with vulnerable firmware versions are affected.

📋 TL;DR

This CVE describes a pre-authentication remote command execution vulnerability in multiple TOTOLINK router models. Attackers can execute arbitrary commands on affected devices without authentication by exploiting the NTPSyncWithHost function. All users of the listed TOTOLINK router models with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

TOTOLINK A800R
TOTOLINK A810R
TOTOLINK A830R
TOTOLINK A950RG
TOTOLINK A3000RU
TOTOLINK A3100R

Versions: Specific vulnerable firmware versions: A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, A3100R V4.1.2cu.5247_B20211129

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of these firmware versions are vulnerable. The vulnerability exists in the NTPSyncWithHost function accessible via web interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to install persistent backdoors, intercept all network traffic, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Router takeover leading to network traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict inbound filtering and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, making them directly accessible to attackers worldwide.

🏢 Internal Only: MEDIUM - If placed behind other network security controls, but still vulnerable to internal threats or compromised upstream devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has public proof-of-concept available. Exploitation is straightforward with known payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates. 2. Download latest firmware for your specific model. 3. Access router admin interface. 4. Navigate to firmware upgrade section. 5. Upload new firmware file. 6. Wait for reboot and verify version.

🔧 Temporary Workarounds

Disable remote administration

all

Prevent external access to router web interface

Network segmentation and firewall rules

all

Isolate routers and restrict access to management interfaces

🧯 If You Can't Patch

Replace affected routers with different models or brands
Implement strict network segmentation to isolate routers from critical assets

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface and compare with affected versions list. If version matches exactly, device is vulnerable.

Check Version:

Access router web interface and navigate to System Status or About page to view firmware version.

Verify Fix Applied:

After firmware update, verify version number no longer matches vulnerable versions. Test NTPSyncWithHost function with safe payloads if possible.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to NTPSyncWithHost endpoint
Multiple failed login attempts followed by successful command execution
Unexpected system commands in logs

Network Indicators:

Unusual outbound connections from router
Traffic to known malicious IPs from router
DNS queries to suspicious domains

SIEM Query:

source="router_logs" AND (uri="*NTPSyncWithHost*" OR command="*;*" OR command="*|*" OR command="*`*")

📊 Metadata

CVE ID: CVE-2025-28034

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 3.26% exploit probability (86.9th percentile)

Published: April 22, 2025

Last Updated: April 29, 2025

🔗 References

https://locrian-lightning-dc7.notion.site/RCE2-1a98e5e2b1a280bebf53d868f1b1a711?pvs=74 Exploit,Third Party Advisory
https://locrian-lightning-dc7.notion.site/CVE-2025-28034-RCE2-1a98e5e2b1a280bebf53d868f1b1a711 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28034, you might also want to check these: