A critical OS command injection vulnerability in the Totolink A7100RU allows unauthenticated remote attackers to execute arbitrary system commands.

The UploadOpenVpnCert function in /cgi-bin/cstecgi.cgi does not properly sanitize the FileName argument, facilitating remote OS command injection by an unauthenticated attacker.

The CVSS score of 9.8 highlights the critical nature of this vulnerability. Compromise of the router allows for full control of the network gateway, potentially leading to widespread data interception and lateral movement into the internal corporate environment.

Immediate Action: Patch the device by installing the most recent firmware update from the manufacturer.

Proactive Monitoring: Monitor for anomalous traffic patterns or unexpected file uploads related to OpenVPN certificate management.

Compensating Controls: Disable unnecessary management services or restrict access to the web interface via network access control lists.

Public Exploit Available: True

Immediate remediation is required to secure the device against remote command execution. Administrators should prioritize firmware updates and ensure the device is not reachable from untrusted networks.