A critical remote OS command injection vulnerability in the Totolink A7100RU router allows unauthenticated attackers to execute arbitrary commands, leading to full device compromise.

This vulnerability affects the setUrlFilterRules function in /cgi-bin/cstecgi.cgi. An unauthenticated attacker can trigger command injection by manipulating the enable argument.

With a CVSS score of 9.8, this vulnerability represents an extreme risk. Successful exploitation allows for complete takeover of the router, potentially leading to widespread data interception, unauthorized network access, and the deployment of persistent malware on the device.

Immediate Action: Update the device firmware to the latest version to patch the vulnerable CGI handler.

Proactive Monitoring: Maintain vigilance for anomalous device behavior and audit all management interface logs for unauthorized access attempts.

Compensating Controls: Implement network-level segmentation to isolate the management interface and use a WAF to block requests containing malicious command payloads.

Public Exploit Available: Yes

Immediate action is mandatory to mitigate this critical vulnerability. Administrators should apply the vendor's firmware update as soon as possible and ensure that no vulnerable devices remain exposed to the public internet.