A critical OS command injection vulnerability in the Totolink A7100RU permits remote, unauthenticated attackers to execute arbitrary system commands.

The setIpQosRules function in /cgi-bin/cstecgi.cgi fails to sanitize the Comment argument, allowing an unauthenticated attacker to inject and execute OS commands.

The CVSS score of 9.8 highlights the critical threat of this vulnerability. Successful exploitation provides the attacker with full control over the device, facilitating further network penetration and data interception.

Immediate Action: Apply the vendor-provided firmware update immediately to patch the vulnerable CGI function.

Proactive Monitoring: Monitor system logs for unusual behavior or unauthorized command execution.

Compensating Controls: Ensure the router's management interface is not accessible from the public internet by configuring appropriate firewall rules.

Public Exploit Available: True

Immediate firmware updates are required to mitigate this critical risk. Restricting access to the device management interface is a necessary secondary measure to prevent unauthorized exploitation.