CVE-2025-28138
Published: 27 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-28138 is a pre-authentication remote command execution vulnerability affecting the TOTOLINK A800R router running firmware version V4.1.2cu.5137_B20200730. The flaw resides in the setNoticeCfg function, where the NoticeUrl parameter allows attackers to inject and execute arbitrary operating system commands, corresponding to CWE-78 (OS Command Injection). The vulnerability has a CVSS v3.1 base score of 9.8, reflecting its critical severity due to network accessibility and lack of prerequisites for exploitation.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation grants attackers the ability to execute arbitrary commands on the device, potentially achieving full compromise with high impacts on confidentiality, integrity, and availability, such as data theft, persistent access, or device disruption.
Details on exploitation, including proof-of-concepts, are documented in advisories available at https://github.com/Zerone0x00/CVE/blob/main/TOTOLINK/CVE-2025-28138.md and https://sudsy-eyeliner-a59.notion.site/RCE2-1ac72b8cd95f8055a76ee0ca262aac1a?pvs=4. No specific patch or mitigation guidance is detailed in the provided CVE information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Pre-auth RCE via OS command injection in public-facing router web interface directly enables T1190 for initial access and T1059.004 for Unix shell command execution.