A remote OS command injection vulnerability in the Totolink A7100RU router allows unauthenticated remote attackers to execute arbitrary system commands.

This vulnerability affects the setDiagnosisCfg function in /cgi-bin/cstecgi.cgi, where the ip argument is not properly sanitized, permitting unauthenticated remote OS command injection.

A CVSS score of 9.8 indicates a critical risk. An attacker can use this vulnerability to gain full administrative control over the router, resulting in potential data theft, network disruption, and lateral movement within the organization.

Immediate Action: Update the router firmware to the latest version.

Proactive Monitoring: Monitor logs for unauthorized access or suspicious activity on the device's web management interface.

Compensating Controls: If patching is delayed, disable the web management interface or restrict access via firewall rules to known safe IP addresses.

Public Exploit Available: True

This vulnerability presents a severe risk to network security. Organizations should ensure that all affected Totolink hardware is updated to the latest firmware release as a matter of urgency.