A critical OS command injection vulnerability in the Totolink A7100RU allows remote, unauthenticated attackers to execute arbitrary system commands.

The setWizardCfg function in /cgi-bin/cstecgi.cgi fails to sanitize the wizard argument, enabling an unauthenticated attacker to inject and execute OS commands.

The CVSS score of 9.8 indicates a critical risk. Successful exploitation grants the attacker full control over the router, which can be used to compromise all traffic passing through the device and potentially infiltrate internal resources.

Immediate Action: Install the latest firmware update provided by the vendor to remediate the command injection flaw.

Proactive Monitoring: Review system and audit logs for signs of arbitrary command execution or unauthorized configuration changes.

Compensating Controls: Implement strict firewall rules to prevent external access to the device's CGI management endpoints.

Public Exploit Available: True

Administrators must prioritize the firmware update for all affected devices. Until an update is applied, ensure that access to the device is limited to trusted, internal-only networks.