A critical remote OS command injection vulnerability in the Totolink A7100RU allows unauthenticated attackers to execute arbitrary commands via the sambaEnabled parameter.

The setStorageCfg function in /cgi-bin/cstecgi.cgi improperly handles the sambaEnabled argument. An attacker can exploit this to inject and execute arbitrary OS commands remotely.

The CVSS score of 9.8 indicates a critical risk. Successful exploitation grants the attacker full control over the affected hardware, which can be used to exfiltrate data, monitor network traffic, or serve as a launchpad for further network attacks.

Immediate Action: Update the device to the latest available firmware provided by the vendor.

Proactive Monitoring: Monitor system logs for unexpected execution of shell commands or configuration changes.

Compensating Controls: Restrict access to the device's web management interface to trusted internal IP addresses only.

Public Exploit Available: Yes

Due to the availability of public exploits and the severity of the command injection, immediate firmware updates are required to secure affected Totolink A7100RU devices against remote compromise.