Cyber Posture

CVE-2025-8937

Medium

Published: 14 August 2025

Published
14 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0083 74.6th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8937 is a medium-severity Injection (CWE-74) vulnerability in Totolink N350R Firmware. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation
addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

SI-4 System Monitoring
addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
attack.mitre.org →
Why these techniques?

Direct command injection in public web management interface (formSysCmd) enables remote exploitation of network device and arbitrary command execution via its CLI.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been found in TOTOLINK N350R 1.2.3-B20130826. This vulnerability affects unknown code of the file /boafrm/formSysCmd. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may…

more

be used.

Deeper analysisAI

CVE-2025-8937 is a command injection vulnerability (CWE-74, CWE-77) in the TOTOLINK N350R router running firmware version 1.2.3-B20130826. The issue resides in unknown code within the /boafrm/formSysCmd file, where manipulation allows attackers to inject commands. It has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity with network accessibility and low attack complexity.

Attackers with low privileges (PR:L) can exploit this remotely without user interaction, achieving command injection on the affected device. Successful exploitation grants limited impacts: low confidentiality (C:L), integrity (I:L), and availability (A:L) effects, potentially allowing arbitrary command execution within the context of the vulnerable component.

Details on the exploit, including proof-of-concept, are publicly disclosed via GitHub repositories at https://github.com/rew1X/CVE/blob/main/TOTOLINK/N350R_formSysCmd.pdf and https://github.com/rew1X/CVE/blob/main/TOTOLINK/formSysCmd/formSysCmd.md, as well as VulDB entries at https://vuldb.com/?ctiid.319900, https://vuldb.com/?id.319900, and https://vuldb.com/?submit.631826. No specific patch or mitigation guidance is detailed in the available information.

Details

CWE(s)
CWE-74CWE-77

Affected Products

totolink
n350r firmware
1.2.3-b20130826

CVEs Like This One

CVE-2026-1150Same vendor: Totolink
CVE-2026-1326Same vendor: Totolink
CVE-2026-5020Same vendor: Totolink
CVE-2026-5105Same vendor: Totolink
CVE-2026-5030Same vendor: Totolink
CVE-2026-1548Same vendor: Totolink
CVE-2026-5176Same vendor: Totolink
CVE-2026-5178Same vendor: Totolink
CVE-2025-7615Same vendor: Totolink
CVE-2025-9935Same vendor: Totolink

References