A critical OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary commands.

This vulnerability occurs in the setWiFiEasyCfg function within /cgi-bin/cstecgi.cgi. The merge parameter is inadequately sanitized, allowing remote command injection by an unauthenticated attacker.

The device is subject to total compromise, which poses a significant threat to internal network security. The 9.8 CVSS score justifies treating this as a high-priority security issue.

Immediate Action: Update to the latest firmware version and disable the Wi-Fi Easy Configuration feature if possible.

Proactive Monitoring: Review router logs for any suspicious system-level commands being executed.

Compensating Controls: Restrict management interface access to local or trusted administrative subnets only.

Public Exploit Available: Yes

All affected users should immediately update their firmware. If a patch is unavailable, the device must be isolated from the WAN to prevent remote exploitation.