A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-28138, has been identified in TOTOLINK A800R routers running firmware version V4.1.2cu.5137_B20200730. The flaw, which resides in the setNoticeCfg function via the NoticeUrl parameter, allows unauthenticated attackers to execute arbitrary commands on affected devices. With a CVSS v3.1 score of 9.8 (Critical), this vulnerability poses a significant risk to network security.
Technical Analysis
The vulnerability stems from improper input sanitization in the router’s web interface. Attackers can inject OS commands through crafted HTTP requests to the NoticeUrl parameter, classified under CWE-78 (OS Command Injection). GreyNoise has already detected exploitation attempts from four unique IPs, primarily targeting U.S. systems. A proof-of-concept demonstrating RCE was shared on a Notion page, though no official patch is available as of March 2025.
Mitigation and Recommendations
Organizations using affected devices should immediately disable remote management and monitor logs for unusual HTTP requests to setNoticeCfg. Network segmentation and Web Application Firewall (WAF) rules can help block malicious payloads. TOTOLINK has not released a firmware update, leaving users to consider replacing end-of-life devices if no patch is forthcoming.
Relevance to Security Professionals
This vulnerability is particularly concerning for environments with exposed TOTOLINK routers, as it enables full device compromise and potential botnet integration. The lack of authentication requirements lowers the barrier for exploitation, making it a likely target for automated attacks. Monitoring for anomalous traffic patterns and implementing strict network access controls are advised.
Conclusion
CVE-2025-28138 represents a severe threat to network infrastructure using vulnerable TOTOLINK routers. Security teams should prioritize identifying affected devices and implementing compensatory controls until an official fix is available. The active exploitation attempts underscore the urgency of addressing this vulnerability.
References
- “CVE-2025-28138 Detail,” National Vulnerability Database, 2025.
- “CVE-2025-28138,” MITRE Corporation, 2025.
- “Critical RCE in TOTOLINK,” Tenable, 2025.
- “GHSA-gmm6-5vw5-42h2,” GitHub Advisory Database, 2025.
- “Exploit Analysis,” Vulners, 2025.
