A critical OS command injection vulnerability in the Totolink A7100RU allows remote attackers to execute arbitrary commands with full system privileges.

The setWanCfg function in /cgi-bin/cstecgi.cgi does not properly sanitize the pppoeServiceName argument, allowing for remote OS command injection by an unauthenticated attacker.

A CVSS score of 9.8 signifies a critical risk of full system compromise. Attackers can gain control over network configuration and traffic, potentially leading to man-in-the-middle attacks or full internal network access.

Immediate Action: Update to the latest firmware version as provided by Totolink to address the identified command injection vulnerability.

Proactive Monitoring: Monitor for suspicious network configuration changes or unusual outbound traffic from the router.

Compensating Controls: Use firewall rules to block internet-facing access to the device's web management interface.

Public Exploit Available: True

This is a high-priority issue. Administrators should update affected devices immediately and ensure that management interfaces are not exposed to the public internet.