A critical OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to gain full system control.

This is an OS command injection vulnerability within the setWizardCfg function of the /cgi-bin/cstecgi.cgi component. The application fails to sanitize the wizard argument, allowing an unauthenticated remote attacker to inject and execute arbitrary system commands.

The vulnerability allows for full remote compromise of the device, which could be used as a pivot point into the local network. With a CVSS score of 9.8, the risk of complete device takeover and subsequent lateral movement is severe.

Immediate Action: Disconnect the affected device from the internet or apply the latest manufacturer firmware patch if available.

Proactive Monitoring: Monitor network traffic for unusual outbound connections or shell-like activity originating from the router.

Compensating Controls: Restrict management interface access to trusted IP addresses only via firewall rules.

Public Exploit Available: Yes

Due to the availability of public exploit code and the critical nature of the vulnerability, immediate mitigation is required. If a firmware update is not available, the device should be isolated from external network access to prevent compromise.