A critical command injection vulnerability has been discovered in multiple TOTOLINK products, rated with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to remotely execute arbitrary commands on the affected device by sending a specially crafted request, potentially leading to a complete system compromise. Successful exploitation could result in data theft, network disruption, and the use of the compromised router in further attacks.

This is a command injection vulnerability within the setWiFiWpsConfig function of the device's firmware. The pin parameter, used for WPS configuration, fails to properly sanitize user-supplied input before passing it to a system shell command. An attacker can craft a request containing malicious shell commands (e.g., 12345678; reboot) within the pin parameter. When the router processes this request, it executes the injected command with the privileges of the system, leading to remote code execution (RCE).

The vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk of compromise with low attack complexity. An attacker who successfully exploits this vulnerability can gain full administrative (root) control over the network device. This level of access could lead to severe consequences, including the interception and theft of all network traffic (e.g., credentials, financial information), redirection of users to malicious websites via DNS hijacking, deployment of malware on the internal network, and using the device as part of a botnet for DDoS attacks. The integrity, confidentiality, and availability of the network are all at significant risk.

Immediate Action: The primary remediation is to apply vendor-supplied firmware updates immediately. Organizations should identify all affected TOTOLINK devices and update them to the latest patched version as specified in the vendor's security advisory. After patching, monitor devices for any signs of compromise and review historical access logs for suspicious requests targeting the setWiFiWpsConfig function.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs on the router for requests to the endpoint associated with the setWiFiWpsConfig function. Look for any pin parameter values containing shell metacharacters such as ;, |, &, $(...), or `.
• Network Traffic Analysis: Monitor for anomalous outbound traffic from the router to unknown or suspicious IP addresses, which could indicate communication with an attacker's command-and-control (C2) server.
• System Behavior: Monitor for unexpected reboots, high CPU utilization, or unfamiliar processes running on the device.

Compensating Controls: If patching cannot be performed immediately, implement the following controls to reduce risk:

• Disable remote (WAN-side) administration of the router.
• Restrict access to the device's web administration interface to a limited set of trusted IP addresses.
• Disable the WPS (Wi-Fi Protected Setup) feature, as the vulnerable function is directly related to it.
• Use a firewall to block unexpected outbound connections originating from the router itself.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we recommend that organizations treat this as a high-priority issue and take immediate action. The primary course of action is to apply the vendor-provided firmware updates across all affected TOTOLINK devices without delay. If patching is not immediately feasible, the compensating controls listed above, particularly disabling remote management and the WPS feature, should be implemented as a temporary measure. Although this CVE is not currently on the CISA KEV list, its critical nature warrants an urgent response to prevent potential device compromise and network intrusion.