CVE-2025-28036 is a critical remote command execution (RCE) vulnerability identified in the TOTOLINK A950RG router firmware version 4.1.2cu.5161_B20200903. The flaw exists in the setNoticeCfg function, specifically through the NoticeUrl parameter, which is vulnerable to injection of arbitrary commands without requiring any authentication or user interaction. This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that the input passed to the NoticeUrl parameter is not properly sanitized, allowing attackers to execute arbitrary OS commands remotely. The CVSS v3.1 base score of 9.8 reflects the severity, with attack vector being network-based (AV:N), no privileges required (PR:N), no user interaction (UI:N), and full impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Exploiting this vulnerability could allow an attacker to fully compromise the affected device, potentially gaining control over the router, intercepting or manipulating network traffic, deploying malware, or pivoting into internal networks. Although no known exploits are currently reported in the wild, the ease of exploitation and critical impact make this a high-risk vulnerability. The lack of vendor or product information beyond the firmware version limits precise identification of the affected product line, but the TOTOLINK A950RG is a consumer-grade wireless router commonly used in home and small office environments. The vulnerability’s presence in a network gateway device significantly raises the stakes, as compromised routers can serve as persistent footholds for attackers and facilitate large-scale network attacks or data exfiltration.

For European organizations, the impact of this vulnerability could be severe, especially for small and medium enterprises (SMEs) and home office setups relying on TOTOLINK A950RG routers. Successful exploitation could lead to full compromise of network gateways, enabling attackers to intercept sensitive communications, manipulate or disrupt business-critical services, and launch further attacks within corporate networks. The confidentiality of internal communications and data could be severely impacted, along with integrity and availability of network services. Given the router’s role in managing internet access, attackers could also use compromised devices to launch distributed denial-of-service (DDoS) attacks or propagate malware. The vulnerability poses a particular risk to organizations with limited IT security resources or those that do not regularly update firmware. Additionally, sectors with high regulatory requirements for data protection, such as finance, healthcare, and critical infrastructure, could face compliance violations and reputational damage if exploited. The lack of authentication and user interaction requirements means attacks can be automated and launched remotely at scale, increasing the threat surface for European networks.

1. Immediate firmware update: Organizations and users should verify if TOTOLINK has released a patched firmware addressing CVE-2025-28036 and apply it promptly. 2. Network segmentation: Isolate vulnerable routers from critical internal networks to limit potential lateral movement if compromised. 3. Access control: Restrict remote management interfaces and block access to router management ports from untrusted networks, especially the internet. 4. Monitor network traffic for anomalies indicative of exploitation attempts, such as unusual outbound connections or command injection patterns. 5. Employ intrusion detection/prevention systems (IDS/IPS) with signatures targeting this vulnerability or generic command injection attempts. 6. For organizations unable to update immediately, consider replacing vulnerable devices with models from vendors with active security support. 7. Educate users and IT staff about the risks of outdated router firmware and the importance of regular updates. 8. Implement strict firewall rules to limit exposure of the router’s management interfaces and use VPNs for remote access where necessary. These steps go beyond generic advice by focusing on network architecture changes, monitoring, and access restrictions tailored to mitigate exploitation of this specific router vulnerability.