A critical remote OS command injection vulnerability in the Totolink A7100RU router allows unauthenticated attackers to gain full control of the device.

The vulnerability resides in the setLoginPasswordCfg function of the /cgi-bin/cstecgi.cgi file. An unauthenticated attacker can trigger OS command injection by manipulating the admpass argument.

With a CVSS score of 9.8, this vulnerability represents a critical threat to network security. An attacker achieving command injection can modify administrative credentials, reconfigure security settings, or use the device as a persistent beachhead for further attacks, leading to total loss of control over the affected network segment.

Immediate Action: Update the device to the latest available firmware version provided by the manufacturer.

Proactive Monitoring: Review system configuration logs for unauthorized changes to administrative accounts or suspicious web requests targeting the CGI handler.

Compensating Controls: Disable remote management features on the router and ensure the device is not accessible from the public internet until the patch is applied.

Public Exploit Available: Yes

Given the critical nature of this flaw and the availability of functional exploits, remediation should be treated as an emergency task. Administrators must ensure all vulnerable units are updated to a secure firmware version to maintain the integrity of the network infrastructure.