A critical remote OS command injection vulnerability in the Totolink A7100RU allows unauthenticated attackers to execute arbitrary commands via the wifiOff parameter.

The setWiFiGuestCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the wifiOff argument, enabling remote OS command injection.

The CVSS score of 9.8 reflects a critical security risk. Exploitation allows for complete takeover of the router, potentially exposing internal network traffic and credentials.

Immediate Action: Update to the latest firmware version released by the manufacturer.

Proactive Monitoring: Monitor for unauthorized configuration changes or abnormal system behavior.

Compensating Controls: Restrict management interface access to trusted internal networks.

Public Exploit Available: Yes

Immediate firmware updates are required to secure Totolink A7100RU devices against this critical command injection flaw.