An unauthenticated OS command injection vulnerability in the Totolink A8000RU router allows remote attackers to execute arbitrary system commands, posing a critical risk of total device compromise.

This is an OS command injection flaw within the setVpnPassCfg function of the /cgi-bin/cstecgi.cgi component. Attackers can reach this endpoint without authentication to inject malicious commands that run with system-level privileges.

The CVSS score of 9.8 reflects the ease of exploitation and the severity of the impact. Successful exploitation grants an attacker full control over the network device, which can be used to intercept sensitive traffic, pivot into internal network segments, or deploy persistent malware, leading to severe data breaches and operational downtime.

Immediate Action: Disconnect the affected device from the internet or restrict access to the management interface to trusted IP addresses only until a firmware patch is applied.

Proactive Monitoring: Inspect system logs for unusual command executions or attempts to access the cstecgi.cgi file from unauthorized external IP addresses.

Compensating Controls: Deploy a Web Application Firewall (WAF) or intrusion prevention system (IPS) configured to block malicious patterns targeting CGI scripts and command injection sequences.

Public Exploit Available: true

This vulnerability represents a critical threat to network integrity. Organizations using the Totolink A8000RU should prioritize immediate isolation of the device. If an official firmware update is unavailable, ensure the device is not accessible from the public internet and evaluate replacement options if the vendor does not provide a timely fix.