A critical remote OS command injection vulnerability in the Totolink A7100RU allows unauthenticated attackers to execute arbitrary commands via the wifiOff parameter.

The setWiFiBasicCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the wifiOff argument, enabling remote OS command injection.

With a CVSS score of 9.8, this flaw allows for total system compromise. Attackers can gain persistent access, manipulate network settings, and compromise the security of all devices connected to the router.

Immediate Action: Update the device firmware to the latest version provided by the manufacturer.

Proactive Monitoring: Monitor the router for unauthorized configuration changes or anomalous traffic patterns.

Compensating Controls: Isolate the management interface from the public internet using firewall rules.

Public Exploit Available: Yes

Immediate firmware updates are required for all Totolink A7100RU units to mitigate this critical command injection risk. Failure to patch leaves the device fully vulnerable to remote takeover.