A critical OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary commands.

The vulnerability resides in the setDmzCfg function in the /cgi-bin/cstecgi.cgi file. Improper input validation on the wanIdx parameter allows for remote OS command injection.

The vulnerability provides an attacker with complete control over the device, facilitating unauthorized access to the network. The 9.8 CVSS score confirms the high severity and potential for large-scale impact.

Immediate Action: Update to the latest firmware version and disable DMZ features if not strictly required.

Proactive Monitoring: Monitor logs for unauthorized configuration changes or anomalous process execution.

Compensating Controls: Block WAN-side access to the management interface using firewall rules.

Public Exploit Available: Yes

Immediate remediation is required. Organizations should ensure all Totolink devices are running the latest firmware to protect against this critical threat.