CVE-2025-28137 – This vulnerability allows unauthenticated remot... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary commands on TOTOLINK A810R routers. Attackers can exploit the setNoticeCfg function via the NoticeUrl parameter without any authentication. Anyone using the affected router firmware version is at risk.

💻 Affected Systems

Products:

TOTOLINK A810R

Versions: V4.1.2cu.5182_B20201026

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running this specific firmware version are vulnerable by default.

📦 What is this software?

A810r Firmware by Totolink

View all CVEs affecting A810r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full router compromise allowing attackers to intercept all network traffic, install persistent malware, pivot to internal networks, and brick the device.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential theft from network traffic, and use as a botnet node.

🟢

If Mitigated

No impact if device is not internet-facing and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing and the exploit requires no authentication.

🏢 Internal Only: MEDIUM - Could still be exploited by internal attackers or through phishing/compromised internal hosts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists in GitHub repositories. The vulnerability requires no authentication and has simple exploitation steps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check TOTOLINK website for firmware updates
2. Download latest firmware for A810R
3. Access router admin interface
4. Navigate to firmware upgrade section
5. Upload and apply new firmware
6. Reboot router after update

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router administration interface

Network segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

Replace vulnerable router with different model
Place router behind firewall with strict inbound rules

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is V4.1.2cu.5182_B20201026, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Information page.

Verify Fix Applied:

Verify firmware version has changed from V4.1.2cu.5182_B20201026 to a newer version.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to setNoticeCfg endpoint
Suspicious commands in system logs
Multiple failed login attempts followed by successful command execution

Network Indicators:

Unusual outbound connections from router
DNS queries to malicious domains
Unexpected SSH/Telnet connections from router

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/setNoticeCfg" OR cmd="*" OR "NoticeUrl")

📊 Metadata

CVE ID: CVE-2025-28137

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 11.87% exploit probability (93.6th percentile)

Published: April 15, 2025

Last Updated: April 29, 2025

🔗 References

https://github.com/Zerone0x00/CVE/blob/main/TOTOLINK/CVE-2025-28137.md Exploit,Third Party Advisory
https://sudsy-eyeliner-a59.notion.site/RCE1-1ab72b8cd95f80d09eded269810f3756?pvs=4 Exploit,Third Party Advisory
https://sudsy-eyeliner-a59.notion.site/RCE1-1ab72b8cd95f80d09eded269810f3756 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28137, you might also want to check these: