A critical command injection vulnerability in the TOTOLINK N200RE V5 allows unauthenticated remote attackers to execute arbitrary system commands.

The device fails to properly sanitize input for the 'macstr' and 'bandstr' parameters within the 'formMapDelDevice' function, enabling command injection.

This vulnerability carries a CVSS score of 9.8, indicating the highest level of risk. An attacker can gain full control over the affected networking hardware, leading to total network compromise, data interception, and the potential to use the device as a pivot point for further internal network attacks.

Immediate Action: Apply the latest firmware update provided by TOTOLINK to address the command injection flaw.

Proactive Monitoring: Monitor network traffic for unusual outbound connections or attempts to access administrative functions from unexpected sources.

Compensating Controls: Disable remote management interfaces on the WAN side and restrict access to the device management console to trusted internal IP addresses only.

Public Exploit Available: Unknown

This is a critical security risk requiring immediate mitigation. Administrators must ensure the affected firmware is patched immediately to prevent full device compromise by unauthenticated remote actors.