A remote OS command injection vulnerability in the Totolink A7100RU router poses a critical risk of full system compromise.

The vulnerability exists in the setRadvdCfg function within /cgi-bin/cstecgi.cgi. An unauthenticated attacker can inject arbitrary OS commands by manipulating the maxRtrAdvInterval argument.

Successful exploitation allows an attacker to execute arbitrary code with elevated privileges on the affected device. Given the CVSS score of 9.8, this vulnerability presents a critical threat, potentially leading to unauthorized network access, data exfiltration, or the inclusion of the device in a botnet, causing significant operational downtime.

Immediate Action: Update the affected device firmware to the latest available version provided by the manufacturer.

Proactive Monitoring: Inspect system and firewall logs for unusual outbound traffic or unexpected command execution patterns originating from the router's management interface.

Compensating Controls: Restrict access to the router’s management interface to trusted internal IP addresses and disable remote administration features until the patch is applied.

Public Exploit Available: True

The presence of a public exploit for a critical command injection flaw necessitates immediate remediation. Administrators should prioritize updating the affected Totolink routers and ensuring that management interfaces are not exposed to the public internet.