A critical OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary commands.

The vulnerability is located in the setIpv6LanCfg function of the /cgi-bin/cstecgi.cgi file. An unauthenticated attacker can supply a malicious addrPrefixLen parameter to trigger OS command injection.

This flaw permits total device takeover, which can lead to severe security breaches, including data exfiltration and denial of service. The 9.8 CVSS score reflects the high impact on confidentiality, integrity, and availability.

Immediate Action: Apply the vendor-supplied firmware update and disable IPv6 if it is not currently in use.

Proactive Monitoring: Monitor router logs for anomalous execution attempts or unexpected configuration changes.

Compensating Controls: Use a firewall to block access to the management interface from the WAN side.

Public Exploit Available: Yes

Immediate remediation is essential. Users should prioritize updating their firmware to the latest version to mitigate this critical risk.