CVE-2025-8938 – This vulnerability in TOTOLINK N350R routers al... (How to Fix)

Q: What is the severity of CVE-2025-8938?

CVE-2025-8938 has a CVSS score of 6.3 (MEDIUM). This vulnerability in TOTOLINK N350R routers allows attackers to enable a backdoor via the Telnet service by manipulating the TelEnabled parameter. Attackers can exploit this remotely to gain unauthorized access to affected devices. Only TOTOLINK N350R routers running firmware version 1.2.3-B20130826 are affected.

📋 TL;DR

This vulnerability in TOTOLINK N350R routers allows attackers to enable a backdoor via the Telnet service by manipulating the TelEnabled parameter. Attackers can exploit this remotely to gain unauthorized access to affected devices. Only TOTOLINK N350R routers running firmware version 1.2.3-B20130826 are affected.

💻 Affected Systems

Products:

TOTOLINK N350R

Versions: 1.2.3-B20130826

Operating Systems: Embedded router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of affected firmware versions. Telnet service must be accessible for exploitation.

📦 What is this software?

N350r Firmware by Totolink

View all CVEs affecting N350r Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the router allowing attackers to intercept network traffic, modify configurations, install persistent malware, and pivot to internal networks.

🟠

Likely Case

Unauthorized access to router administration leading to network disruption, DNS hijacking, or credential theft from connected devices.

🟢

If Mitigated

Limited impact if Telnet service is disabled and router is not internet-facing, though local network attacks remain possible.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely without authentication if the router is exposed to the internet.

🏢 Internal Only: MEDIUM - Attackers on the local network can exploit this vulnerability to gain router access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept exploit code is available on GitHub. Exploitation requires network access to the Telnet service on port 23.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch is available. Check TOTOLINK website for firmware updates. If no update exists, consider replacing affected hardware.

🔧 Temporary Workarounds

Disable Telnet Service

all

Disable the Telnet service completely to prevent exploitation of this vulnerability.

Access router admin interface → Advanced Settings → Telnet → Disable

Restrict Network Access

all

Use firewall rules to block external access to Telnet port 23 and restrict internal access to trusted IPs only.

iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 23 -s trusted_ip -j ACCEPT

🧯 If You Can't Patch

Replace affected TOTOLINK N350R routers with newer models or different brands that receive security updates
Segment affected routers on isolated network segments to limit potential damage from compromise

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin interface. If version is 1.2.3-B20130826, the device is vulnerable. Also test if Telnet service responds on port 23.

Check Version:

Login to router admin interface and check System Status or Firmware Version page

Verify Fix Applied:

Verify Telnet service is disabled by attempting to connect to port 23 (telnet router_ip 23) - connection should be refused.

📡 Detection & Monitoring

Log Indicators:

Unusual Telnet connection attempts
Configuration changes to Telnet settings
Failed authentication attempts on Telnet port

Network Indicators:

Unexpected traffic on Telnet port 23
Telnet connections from unusual IP addresses
Telnet service enabled when it should be disabled

SIEM Query:

source_port:23 OR destination_port:23 AND (action:denied OR action:allowed) | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2025-8938

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-912

EPSS Score: 0.09% exploit probability (25.3th percentile)

Published: August 14, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/rew1X/CVE/blob/main/TOTOLINK/formSysTel/formSysTel.md Broken Link
https://github.com/rew1X/CVE/blob/main/TOTOLINK/formSysTel/formSysTel.md#poc Broken Link
https://vuldb.com/?ctiid.319901 Permissions Required,VDB Entry
https://vuldb.com/?id.319901 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.631837 Third Party Advisory,VDB Entry
https://www.totolink.net/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8938, you might also want to check these: