A critical OS command injection vulnerability in the Totolink A7100RU allows remote, unauthenticated attackers to achieve full system compromise.

The setDmzCfg function within the /cgi-bin/cstecgi.cgi component fails to sanitize the wanIdx argument. This flaw allows a remote attacker to inject and execute arbitrary operating system commands with elevated privileges.

With a CVSS score of 9.8, this vulnerability allows complete device takeover. An attacker can gain persistent access to the router, intercept network traffic, and use the device as a pivot point to attack other systems on the internal network.

Immediate Action: Apply the latest firmware update provided by Totolink for the A7100RU.

Proactive Monitoring: Monitor network traffic for unusual outbound connections or attempted management interface access from unknown sources.

Compensating Controls: Disable remote management access on the WAN interface and ensure the device is not directly exposed to the public internet.

Public Exploit Available: Yes

This is a critical vulnerability that allows for full device compromise. Given the availability of public exploits, all affected Totolink A7100RU devices should be updated or isolated from the network immediately to prevent unauthorized access.