A critical remote OS command injection vulnerability in the Totolink A7100RU allows unauthenticated attackers to execute arbitrary commands via the lan_info parameter.

The setMiniuiHomeInfoShow function in /cgi-bin/cstecgi.cgi fails to sanitize the lan_info argument, enabling remote OS command injection.

The CVSS score of 9.8 represents a critical risk. Attackers can leverage this to gain full control over the router, potentially compromising all traffic passing through the device.

Immediate Action: Apply the latest vendor-provided firmware update.

Proactive Monitoring: Monitor network and device logs for suspicious activity.

Compensating Controls: Restrict device management access to trusted local networks.

Public Exploit Available: Yes

All Totolink A7100RU devices must be updated immediately to the latest firmware to prevent unauthorized remote command execution and potential system compromise.