CVE-2025-28138

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary commands on TOTOLINK A800R routers by exploiting improper input validation in the setNoticeCfg function. Attackers can gain full control of affected devices, potentially compromising network security. Anyone using the vulnerable router versions is affected.

💻 Affected Systems

Products:

• TOTOLINK A800R

Versions: V4.1.2cu.5137_B20200730

Operating Systems: Embedded Linux (router firmware)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific firmware version only; other versions may also be vulnerable but unconfirmed.

📦 What is this software?

A800r Firmware by Totolink

View all CVEs affecting A800r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover leading to network compromise, data exfiltration, lateral movement to other devices, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, DNS hijacking, credential theft, and use as a botnet node.

🟢

If Mitigated

Limited impact if device is behind firewall with strict inbound rules and network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing, making them directly accessible to attackers worldwide.

🏢 Internal Only: MEDIUM - Internal attackers could exploit if they gain network access, but external exposure is primary concern.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exists in GitHub repository; exploitation requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Check TOTOLINK website for firmware updates. If update exists: 1. Download latest firmware from vendor site. 2. Log into router admin interface. 3. Navigate to firmware upgrade section. 4. Upload and apply new firmware. 5. Reboot router.

🔧 Temporary Workarounds

Block External Access

all

Configure firewall to block inbound access to router web interface from internet

Disable Remote Management

all

Turn off remote management feature in router settings

🧯 If You Can't Patch

• Replace vulnerable router with different model or updated version
• Isolate router in separate VLAN with strict access controls

🔍 How to Verify

Check if Vulnerable:

Copy

Check router firmware version in admin interface under System Status or Firmware Upgrade section

Check Version:

Copy

Login to router web interface and check firmware version in system settings

Verify Fix Applied:

Copy

Verify firmware version is different from vulnerable version; test if exploit no longer works

📡 Detection & Monitoring

Log Indicators:

• HTTP POST requests to /cgi-bin/cstecgi.cgi with NoticeUrl parameter containing shell metacharacters
• Unusual command execution in router logs
• Failed authentication attempts followed by successful command execution

Network Indicators:

• HTTP traffic to router on port 80/443 with unusual parameter values
• Outbound connections from router to unexpected destinations

SIEM Query:

Copy

source="router_logs" AND (uri_path="/cgi-bin/cstecgi.cgi" AND (param="NoticeUrl" AND value MATCHES "[;&|`$()]"))

📊 Metadata

CVE ID: CVE-2025-28138

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 7.88% exploit probability (91.8th percentile)

Published: March 27, 2025

Last Updated: April 15, 2025

🔗 References

• https://github.com/Zerone0x00/CVE/blob/main/TOTOLINK/CVE-2025-28138.md
• https://sudsy-eyeliner-a59.notion.site/RCE2-1ac72b8cd95f8055a76ee0ca262aac1a?pvs=4 Exploit
• https://sudsy-eyeliner-a59.notion.site/RCE2-1ac72b8cd95f8055a76ee0ca262aac1a?pvs=4 Exploit

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28138, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)

CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)

CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)