A remote OS command injection vulnerability in the Totolink A7100RU router enables unauthenticated remote code execution.

The setNetworkCfg function in /cgi-bin/cstecgi.cgi fails to properly sanitize the proto argument, allowing an unauthenticated attacker to inject and execute arbitrary OS commands.

The CVSS score of 9.8 reflects the high probability and impact of this vulnerability. Compromise of the router allows for total network visibility and control, posing a dire risk to the confidentiality, integrity, and availability of all connected systems.

Immediate Action: Update the device to the most recent firmware version available from the manufacturer.

Proactive Monitoring: Monitor for anomalous system behavior and unauthorized configuration changes on the router.

Compensating Controls: Disable remote management interfaces and restrict access to the device's web management console to authorized personnel only.

Public Exploit Available: True

This is a critical vulnerability that can be exploited remotely by unauthenticated attackers. Security teams must prioritize updating affected devices and limiting exposure to untrusted networks.