Cyber Resilience

CVE-2025-28256

CriticalPublic PoCRCE

Published: 28 March 2025

Published
28 March 2025
Modified
14 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0125 79.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-28256 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3100R Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-28256 is an OS command injection vulnerability (CWE-78) in the TOTOLINK A3100R wireless router running firmware version V4.1.2cu.5247_B20211129. The flaw resides in the setWebWlanIdx function exported by /lib/cste_modules/wireless.so and permits unauthenticated remote code execution.

An attacker with network access can invoke the affected function without credentials or user interaction, resulting in arbitrary command execution on the device and full compromise of confidentiality, integrity, and availability.

Public references consist of a detailed technical report hosted on GitHub that reproduces the issue; no vendor advisory, firmware update, or official mitigation guidance is referenced in the available sources.

The associated EPSS score rose from a low baseline to a recorded peak of 0.0417, indicating that exploitation interest increased after public disclosure.

EU & UK References

Vulnerability details

An issue in TOTOLINK A3100R V4.1.2cu.5247_B20211129 allows a remote attacker to execute arbitrary code via the setWebWlanIdx of the file /lib/cste_modules/wireless.so.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability allows a remote attacker to execute arbitrary code via a function in the router's web-related wireless module, enabling exploitation of a public-facing application.

CVEs Like This One

CVE-2025-11005Same vendor: Totolink
CVE-2024-57016Same vendor: Totolink
CVE-2024-57015Same vendor: Totolink
CVE-2026-31177Same vendor: Totolink
CVE-2026-31181Same vendor: Totolink
CVE-2024-57013Same vendor: Totolink
CVE-2024-57011Same vendor: Totolink
CVE-2025-25579Same vendor: Totolink
CVE-2024-57012Same vendor: Totolink
CVE-2024-57014Same vendor: Totolink

Affected Assets

totolink
a3100r firmware
4.1.2cu.5247_b20211129

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of flaws like this command injection vulnerability through firmware patching.

prevent

SI-10 mandates input validation mechanisms at entry points such as setWebWlanIdx to block malicious command injection payloads.

prevent

SC-7 enforces boundary protection to monitor and control network access to the vulnerable web management interface on the router.

References