Cyber Resilience

CVE-2025-28034

CriticalPublic PoCRCE

Published: 22 April 2025

Published
22 April 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0279 86.4th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28034 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A800R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 contain a pre-authentication remote command execution flaw in the NTPSyncWithHost function that is triggered through the hostTime parameter. The issue is tracked as CVE-2025-28034 with a CVSS 3.1 base score of 9.8 and is classified under CWE-78 as an instance of OS command injection.

An unauthenticated attacker with network reachability to an affected device can supply a crafted hostTime value and execute arbitrary operating-system commands without any prior authentication or user interaction. Successful exploitation grants the attacker full control over the device, including the ability to read, modify, or delete data and to disrupt availability.

Public references consist of two detailed Notion pages that describe the vulnerability but do not reference vendor advisories, firmware updates, or mitigation steps. The EPSS score rose from a low baseline to a peak of 0.0636 on 2026-02-16 before receding to the current value of 0.0279, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
a800r firmware
4.1.2cu.5137_b20200730
totolink
a810r firmware
4.1.2cu.5182_b20201026
totolink
a830r firmware
4.1.2cu.5182_b20201102
totolink
a950rg firmware
4.1.2cu.5161_b20200903
totolink
a3000ru firmware
5.9c.5185_b20201128
totolink
a3100r firmware
4.1.2cu.5247_b20211129

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References