CVE-2025-28034
Published: 22 April 2025
Summary
CVE-2025-28034 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A800R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 contain a pre-authentication remote command execution flaw in the NTPSyncWithHost function that is triggered through the hostTime parameter. The issue is tracked as CVE-2025-28034 with a CVSS 3.1 base score of 9.8 and is classified under CWE-78 as an instance of OS command injection.
An unauthenticated attacker with network reachability to an affected device can supply a crafted hostTime value and execute arbitrary operating-system commands without any prior authentication or user interaction. Successful exploitation grants the attacker full control over the device, including the ability to read, modify, or delete data and to disrupt availability.
Public references consist of two detailed Notion pages that describe the vulnerability but do not reference vendor advisories, firmware updates, or mitigation steps. The EPSS score rose from a low baseline to a peak of 0.0636 on 2026-02-16 before receding to the current value of 0.0279, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12218
Vulnerability details
TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.