Cyber Resilience

CVE-2025-28035

CriticalPublic PoCRCE

Published: 22 April 2025

Published
22 April 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0374 88.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28035 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A830R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK A830R routers running firmware version V4.1.2cu.5182_B20201102 contain a pre-authentication remote command execution flaw in the setNoticeCfg function. The vulnerability is triggered through the NoticeUrl parameter and is classified under CWE-78 as an instance of OS command injection. It carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without credentials or user interaction.

An unauthenticated attacker can send a crafted HTTP request to the affected device and execute arbitrary operating-system commands. Successful exploitation grants the attacker full control over the router, including the ability to read or modify configuration data, intercept traffic, or pivot into the local network.

Public references consist of researcher notes hosted on Notion that describe the issue but do not include vendor advisories, firmware updates, or mitigation guidance. The EPSS score rose from lower values after disclosure to a peak of 0.0636 on 2026-02-16 before receding to the current 0.0374, indicating a temporary increase in exploitation interest.

EU & UK References

Vulnerability details

TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
a830r firmware
4.1.2cu.5182_b20201102
totolink
a3100r firmware
4.1.2cu.5247_b20211129
totolink
a810r firmware
4.1.2cu.5182_b20201026
totolink
a800r firmware
4.1.2cu.5137_b20200730
totolink
a3000ru firmware
5.9c.5185_b20201128
totolink
a950rg firmware
4.1.2cu.5161_b20200903

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References