CVE-2025-28036
Published: 22 April 2025
Summary
CVE-2025-28036 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A950Rg Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
TOTOLINK A950RG firmware version V4.1.2cu.5161_B20200903 contains a pre-authentication remote command execution vulnerability in the setNoticeCfg function. The flaw is triggered through the NoticeUrl parameter and is tracked as CWE-78, indicating improper neutralization of special elements used in an OS command. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.
An unauthenticated attacker can send a crafted HTTP request to the affected device and execute arbitrary operating-system commands. Successful exploitation grants the attacker full control over the router, including the ability to read, modify, or delete data and to disrupt device operation.
The current EPSS score of 0.0527 with a recorded peak of 0.0636 indicates modest but non-zero public interest following disclosure. Public references consist of technical write-ups hosted on Notion that document the vulnerability details and reproduction steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-12208
Vulnerability details
TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.