A critical remote OS command injection vulnerability in the Totolink A7100RU allows unauthenticated attackers to execute arbitrary commands via the mode parameter.

The setWiFiAclRules function in /cgi-bin/cstecgi.cgi fails to sanitize the mode argument, allowing remote command injection.

The CVSS score of 9.8 signifies a critical risk. Successful exploitation allows an attacker to seize control of the router, leading to potential data interception and lateral network movement.

Immediate Action: Apply the latest vendor-provided firmware update.

Proactive Monitoring: Review system logs for suspicious activity and unauthorized command execution.

Compensating Controls: Disable remote access to the web management interface.

Public Exploit Available: Yes

All Totolink A7100RU units must be updated immediately to the latest firmware to prevent unauthorized remote command execution.