A critical OS command injection vulnerability in the Totolink A7100RU allows remote, unauthenticated attackers to execute arbitrary commands with root-level privileges.

The vulnerability resides in the setUPnPCfg function within the /cgi-bin/cstecgi.cgi component. An unauthenticated attacker can manipulate the enable parameter to inject and execute arbitrary OS commands.

This vulnerability enables full remote control of the affected device, potentially exposing the entire local area network to unauthorized surveillance or data exfiltration. With a CVSS score of 9.8, the impact includes total loss of device integrity and potential compromise of connected internal assets.

Immediate Action: Update the device firmware to the latest version supplied by the vendor to eliminate the command injection vector.

Proactive Monitoring: Review system logs for suspicious process spawning and monitor for unexpected changes to the UPnP configuration.

Compensating Controls: Disable UPnP and restrict access to the web management interface to trusted IP addresses only.

Public Exploit Available: Yes

Given the availability of public exploits and the critical nature of command injection, users must prioritize firmware remediation. Ensure all Totolink A7100RU devices are patched to prevent remote code execution attacks.