A critical OS command injection vulnerability in the Totolink A7100RU allows remote attackers to achieve full system compromise.

The vulnerability exists in the setLedCfg function of /cgi-bin/cstecgi.cgi, where the enable argument is not properly sanitized, leading to OS command injection by an unauthenticated attacker.

The CVSS score of 9.8 reflects the high probability of total device takeover. An attacker can gain persistent access, pivot into internal networks, or participate in botnet activities, leading to severe security breaches and potential loss of network integrity.

Immediate Action: Apply the vendor-provided firmware update immediately to address the command injection flaw.

Proactive Monitoring: Monitor network traffic for unusual outbound connections or shell-like activity originating from the device.

Compensating Controls: Restrict access to the device's management interface to trusted internal IP addresses only via firewall rules.

Public Exploit Available: True

This is a critical vulnerability with active public exploits. It is imperative that affected devices are updated immediately. If an update cannot be applied, the device should be isolated from the public internet to prevent exploitation.