A critical remote OS command injection vulnerability in the Totolink A7100RU allows unauthenticated attackers to execute arbitrary commands via the telnet_enabled parameter.

The setTelnetCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the telnet_enabled argument, enabling remote OS command injection.

The CVSS score of 9.8 signifies a critical risk of full device compromise. Attackers can gain root-level access to the router, enabling total control over the device and connected network.

Immediate Action: Apply the latest firmware update provided by Totolink.

Proactive Monitoring: Monitor system logs for unauthorized access or command execution attempts.

Compensating Controls: Disable Telnet and remote management access on the device.

Public Exploit Available: Yes

Update Totolink A7100RU firmware immediately to mitigate this critical command injection vulnerability and prevent unauthorized remote access.