Login Sign Up

CVE-2025-28256

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on TOTOLINK A3100R routers by exploiting improper input sanitization in the setWebWlanIdx function. Attackers can gain full control of affected devices without authentication. Only TOTOLINK A3100R routers running specific vulnerable firmware are affected.

💻 Affected Systems

Products:
  • TOTOLINK A3100R
Versions: V4.1.2cu.5247_B20211129
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only this specific firmware version is confirmed vulnerable. Other versions may also be affected but not confirmed.

📦 What is this software?

A3100r Firmware by Totolink

View all CVEs affecting A3100r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of router with persistent backdoor installation, credential theft, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Router takeover leading to DNS hijacking, credential harvesting, and use as botnet node for DDoS attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access and network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication on default configurations.
🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available in GitHub repository. Exploitation requires sending crafted HTTP request to vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Check TOTOLINK website for firmware updates. If update exists, download from official source and flash via web interface.

🔧 Temporary Workarounds

Block Web Interface Access

linux

Restrict access to router web interface from untrusted networks

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

Disable Remote Management

all

Turn off remote administration features in router settings

🧯 If You Can't Patch

  • Place router behind firewall with strict inbound rules blocking all WAN access to management interfaces
  • Implement network segmentation to isolate router from critical internal systems

🔍 How to Verify

Check if Vulnerable:

Check firmware version in router web interface under System Status or Administration settings

Check Version:

curl -s http://router-ip/cgi-bin/luci/ | grep -i version

Verify Fix Applied:

Verify firmware version is different from V4.1.2cu.5247_B20211129

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /cgi-bin/luci
  • Multiple failed authentication attempts followed by successful access
  • Unexpected process execution in system logs

Network Indicators:

  • HTTP requests containing shell commands or encoded payloads to router IP
  • Outbound connections from router to unknown IPs

SIEM Query:

source="router.log" AND ("setWebWlanIdx" OR "/cgi-bin/luci" AND status=200)

📊 Metadata

CVE ID: CVE-2025-28256
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
EPSS Score: 4.17% exploit probability (88.4th percentile)
Published: March 28, 2025
Last Updated: April 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28256, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)