CVE-2025-28256
Published: 28 March 2025
Summary
CVE-2025-28256 is a critical-severity OS Command Injection (CWE-78) vulnerability in Totolink A3100R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-28256 is an OS command injection vulnerability (CWE-78) in the TOTOLINK A3100R wireless router running firmware version V4.1.2cu.5247_B20211129. The flaw resides in the setWebWlanIdx function exported by /lib/cste_modules/wireless.so and permits unauthenticated remote code execution.
An attacker with network access can invoke the affected function without credentials or user interaction, resulting in arbitrary command execution on the device and full compromise of confidentiality, integrity, and availability.
Public references consist of a detailed technical report hosted on GitHub that reproduces the issue; no vendor advisory, firmware update, or official mitigation guidance is referenced in the available sources.
The associated EPSS score rose from a low baseline to a recorded peak of 0.0417, indicating that exploitation interest increased after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8661
Vulnerability details
An issue in TOTOLINK A3100R V4.1.2cu.5247_B20211129 allows a remote attacker to execute arbitrary code via the setWebWlanIdx of the file /lib/cste_modules/wireless.so.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows a remote attacker to execute arbitrary code via a function in the router's web-related wireless module, enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of flaws like this command injection vulnerability through firmware patching.
SI-10 mandates input validation mechanisms at entry points such as setWebWlanIdx to block malicious command injection payloads.
SC-7 enforces boundary protection to monitor and control network access to the vulnerable web management interface on the router.