CVE-2025-3987 is a command injection vulnerability identified in the TOTOLINK N150RT router, specifically version 3.4.0-B20190525. The vulnerability arises from improper handling of the 'localPin' argument within the processing of the /boafrm/formWsc endpoint. An attacker can remotely manipulate this parameter to inject arbitrary commands into the underlying operating system shell. This type of vulnerability allows an attacker to execute system-level commands with the privileges of the affected service, potentially leading to full compromise of the device. The vulnerability does not require user interaction and can be exploited remotely over the network, although it requires low privileges (PR:L) on the device, indicating some form of limited authentication or access is necessary. The CVSS 4.0 base score is 5.3 (medium severity), reflecting moderate impact on confidentiality, integrity, and availability, with network attack vector and low attack complexity. The vulnerability has been publicly disclosed, but no known exploits are reported in the wild yet. The TOTOLINK N150RT is a consumer-grade router commonly used in small offices and homes, and the affected firmware version dates back to 2019, suggesting that many devices may remain unpatched. The command injection vulnerability could allow attackers to gain persistent access, manipulate network traffic, or pivot into internal networks if exploited successfully.

For European organizations, the exploitation of this vulnerability could have several consequences. Small and medium enterprises (SMEs) and home office environments using TOTOLINK N150RT routers may face unauthorized access to their network infrastructure. Attackers could leverage the command injection to install malware, intercept sensitive communications, or use the compromised device as a foothold for lateral movement within corporate networks. This is particularly concerning for organizations with remote or hybrid work setups relying on consumer-grade networking equipment. The integrity and availability of network services could be disrupted, leading to operational downtime or data breaches. While the vulnerability requires some level of authentication, the risk remains significant because many devices may still run outdated firmware without proper access controls. The public disclosure increases the likelihood of exploitation attempts, especially by opportunistic attackers targeting less secure environments. The impact on confidentiality is moderate due to potential data interception, while integrity and availability impacts could be more severe if attackers execute destructive commands or disrupt network connectivity.

1. Immediate firmware upgrade: Organizations and users should verify the firmware version of their TOTOLINK N150RT devices and upgrade to the latest available version from the vendor that addresses this vulnerability. If no patch is available, consider replacing the device with a more secure alternative. 2. Network segmentation: Isolate vulnerable routers from critical internal networks to limit potential lateral movement if compromised. 3. Access control hardening: Restrict management interface access to trusted IP addresses and enforce strong authentication mechanisms to reduce the risk of unauthorized exploitation. 4. Monitor network traffic: Deploy intrusion detection systems (IDS) or network monitoring tools to detect unusual command injection attempts or abnormal traffic patterns targeting the /boafrm/formWsc endpoint. 5. Disable WPS if not needed: Since the vulnerability is related to the WPS (Wi-Fi Protected Setup) functionality, disabling WPS can reduce the attack surface. 6. Vendor engagement: Encourage TOTOLINK to release a security patch promptly and communicate mitigation guidance to users. 7. Incident response readiness: Prepare to isolate and remediate compromised devices quickly to minimize impact.