A critical OS command injection vulnerability in the Totolink A7100RU enables remote, unauthenticated attackers to execute arbitrary commands on the system.

The UploadFirmwareFile function in /cgi-bin/cstecgi.cgi lacks adequate input validation for the FileName argument, permitting remote OS command injection.

With a CVSS score of 9.8, this vulnerability allows for complete system compromise. Attackers could potentially overwrite firmware or execute malicious code, leading to long-term persistence and unauthorized access to network traffic.

Immediate Action: Update to the latest firmware version released by Totolink to address the vulnerability in the CGI handler.

Proactive Monitoring: Monitor logs for unauthorized or suspicious firmware upload attempts.

Compensating Controls: Restrict administrative access to the router's web interface to authorized management subnets only.

Public Exploit Available: True

The risk posed by this vulnerability is extreme. It is essential to apply the vendor-provided firmware update immediately and restrict exposure of the web management interface.