Cyber Resilience

CVE-2025-28036

CriticalPublic PoCRCE

Published: 22 April 2025

Published
22 April 2025
Modified
29 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0527 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28036 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A950Rg Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

TOTOLINK A950RG firmware version V4.1.2cu.5161_B20200903 contains a pre-authentication remote command execution vulnerability in the setNoticeCfg function. The flaw is triggered through the NoticeUrl parameter and is tracked as CWE-78, indicating improper neutralization of special elements used in an OS command. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction.

An unauthenticated attacker can send a crafted HTTP request to the affected device and execute arbitrary operating-system commands. Successful exploitation grants the attacker full control over the router, including the ability to read, modify, or delete data and to disrupt device operation.

The current EPSS score of 0.0527 with a recorded peak of 0.0636 indicates modest but non-zero public interest following disclosure. Public references consist of technical write-ups hosted on Notion that document the vulnerability details and reproduction steps.

EU & UK References

Vulnerability details

TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

totolink
a950rg firmware
4.1.2cu.5161_b20200903
totolink
a810r firmware
4.1.2cu.5182_b20201026
totolink
a800r firmware
4.1.2cu.5137_b20200730
totolink
a830r firmware
4.1.2cu.5182_b20201102
totolink
a3000ru firmware
5.9c.5185_b20201128
totolink
a3100r firmware
4.1.2cu.5247_b20211129

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References