A critical OS command injection vulnerability in Totolink A7100RU routers allows remote, unauthenticated attackers to execute arbitrary code.

The setIpv6LanCfg function within the CGI handler fails to sanitize user input for the addrPrefixLen parameter, leading to an OS command injection vulnerability accessible to unauthenticated remote attackers.

Successful exploitation results in full control of the device, enabling the attacker to manipulate network traffic and pivot into the internal network. The 9.8 CVSS score reflects the high severity of this remote, unauthenticated access vector.

Immediate Action: Update the affected device to the latest firmware version provided by the manufacturer.

Proactive Monitoring: Review system logs for suspicious activity and monitor for unexpected changes to IPv6 settings.

Compensating Controls: Restrict management access to the device to a dedicated, secure management VLAN or trusted local IP addresses.

Public Exploit Available: Yes

Given the high-risk nature of this vulnerability and the availability of public exploits, immediate firmware updates are essential. Administrators should treat this as a high-priority remediation task for all deployed A7100RU units.