A critical OS command injection vulnerability in the Totolink A7100RU permits remote attackers to execute arbitrary commands with administrative privileges.

The setAccessDeviceCfg function within /cgi-bin/cstecgi.cgi fails to sanitize the mac argument, allowing unauthenticated remote attackers to inject and execute OS commands.

With a CVSS score of 9.8, this vulnerability poses a severe threat. Successful exploitation allows for complete control over the affected hardware, enabling attackers to intercept traffic, modify configurations, or deploy malicious payloads within the network.

Immediate Action: Update the device firmware to the latest version provided by Totolink to patch the vulnerable CGI handler.

Proactive Monitoring: Review system logs for unexpected execution of shell commands or unauthorized configuration changes.

Compensating Controls: Implement an ingress firewall policy to block unauthorized access to the web management interface of the router.

Public Exploit Available: True

Given the availability of public exploits, the urgency for remediation is high. All affected Totolink devices must be updated to the latest available firmware to mitigate the risk of remote command execution.