CVE-2025-28034 – TOTOLINK Router Pre-Auth Remote Command Execution Vulnerability

April 22, 2025

CVE ID : CVE-2025-28034

Published : April 22, 2025, 2:15 p.m. | 22 minutes ago

Description : TOTOLINK A800R V4.1.2cu.5137_B20200730, A810R V4.1.2cu.5182_B20201026, A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a pre-auth remote command execution vulnerability in the NTPSyncWithHost function through the hostTime parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleTired of unsolicited nude pics? Google’s new safety feature can help – how it works

Next Article CVE-2025-28033 – Totolink Router Pre-Auth Buffer Overflow Vulnerability

Highlights

CVE-2025-32441 – Rack Session Pool Session Hijacking Vulnerability

May 7, 2025

CVE ID : CVE-2025-32441

Published : May 7, 2025, 11:15 p.m. | 20 minutes ago

Description : Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Version 2.2.14 contains a patch for the issue. Some other mitigations are available. Either ensure the application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse; or implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.

Severity: 4.2 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

How To Prevent WordPress SQL Injection Attacks

Java never goes out of style: Celebrating 30 years of the language

OpenAI o3-pro available in the API, BrowserStack adds Playwright support for real iOS devices, and more – Daily News Digest

Creating The “Moving Highlight” Navigation Bar With JavaScript And CSS

Surface Pro 11 with Snapdragon X Elite drops to lowest price ever

With WH40K Boltgun and Dungeons of Hinterberg, this month’s Humble Choice lineup is stacked for less than $12

I’ve been loving the upgrade to my favorite mobile controller, and there’s even a version for large tablets

Copilot Vision just launched — and Microsoft already added new features

Master Data Management: The Key to Improved Analytics Reporting

Master Data Management: The Key to Improved Analytics Reporting

Salesforce Lead-to-Revenue Management

React Native 0.80 – React 19.1, JS API Changes, Freezing Legacy Arch and much more

Surface Pro 11 with Snapdragon X Elite drops to lowest price ever

Surface Pro 11 with Snapdragon X Elite drops to lowest price ever

With WH40K Boltgun and Dungeons of Hinterberg, this month’s Humble Choice lineup is stacked for less than $12

I’ve been loving the upgrade to my favorite mobile controller, and there’s even a version for large tablets

CVE-2025-28034 – TOTOLINK Router Pre-Auth Remote Command Execution Vulnerability

Zero-Click AI Vulnerability Exposes Microsoft 365 Copilot Data Without User Interaction

Researchers Detail Zero-Click Copilot Exploit ‘EchoLeak’

CVE-2025-4520 – Uncanny Automator WordPress Unauthorized Data Modification Vulnerability

Why Hiring a Fractional CFO in Singapore is a Game-Changer for SMEs

CVE-2025-46777 – Fortinet FortiPortal Information Disclosure Vulnerability

Serverless Image Processing Pipeline with AWS ECS and Lambda

CVE-2025-32441 – Rack Session Pool Session Hijacking Vulnerability

Improve ImgSLI is an image comparison tool

12 apps every Windows 11 power user should install on a new PC

How can we counter online disinformation? | Unlocked 403 cybersecurity podcast (S2E2)

CVE-2025-28034 – TOTOLINK Router Pre-Auth Remote Command Execution Vulnerability

Related Posts