CVE-2025-8937
Published: 14 August 2025
Summary
CVE-2025-8937 is a low-severity Injection (CWE-74) vulnerability in Totolink N350R Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A vulnerability has been identified in the TOTOLINK N350R router running firmware version 1.2.3-B20130826. The issue resides in an unspecified portion of the /boafrm/formSysCmd endpoint and stems from improper handling of user-supplied input, resulting in command injection as classified under CWE-74 and CWE-77. The flaw is remotely reachable and carries a CVSS 4.0 score of 2.1, reflecting the need for an authenticated low-privileged account but no user interaction.
An attacker who can authenticate to the device can supply crafted parameters to the affected form handler, causing arbitrary operating-system commands to execute on the router. Successful exploitation grants limited control over the device, including the ability to read, modify, or delete data within the scope of the compromised process. Public proof-of-concept material has already been released, confirming that the attack can be carried out over the network.
The associated EPSS score remains low and unchanged at 0.0172, indicating no significant increase in observed exploitation interest since disclosure. The referenced materials consist of exploit documentation hosted on GitHub and corresponding Vuldb entries; no vendor advisory or patch information is included among them.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24663
Vulnerability details
A vulnerability has been found in TOTOLINK N350R 1.2.3-B20130826. This vulnerability affects unknown code of the file /boafrm/formSysCmd. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may…
more
be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection in public web management interface (formSysCmd) enables remote exploitation of network device and arbitrary command execution via its CLI.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs to the /boafrm/formSysCmd endpoint to block command injection strings before they reach the underlying system command processor.
Enforces access-control decisions on the formSysCmd handler so that only explicitly authorized subjects can invoke the command-execution path.
Requires timely application of vendor patches or firmware updates that eliminate the command-injection flaw in formSysCmd.