CVE-2025-28035
Published: 22 April 2025
Summary
CVE-2025-28035 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A830R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK A830R routers running firmware version V4.1.2cu.5182_B20201102 contain a pre-authentication remote command execution flaw in the setNoticeCfg function. The vulnerability is triggered through the NoticeUrl parameter and is classified under CWE-78 as an instance of OS command injection. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without credentials or user interaction.
An unauthenticated attacker can send a crafted HTTP request to the affected device and execute arbitrary operating-system commands. Successful exploitation grants the attacker full control over the router, including the ability to read or modify configuration data, intercept traffic, or pivot into the local network.
Public references consist of researcher notes hosted on Notion that describe the issue but do not include vendor advisories, firmware updates, or mitigation guidance. The EPSS score rose from lower values after disclosure to a peak of 0.0636 on 2026-02-16 before receding to the current 0.0374, indicating a temporary increase in exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12207
Vulnerability details
TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.