A critical OS command injection vulnerability in the Totolink A8000RU router allows unauthenticated remote attackers to execute arbitrary commands.

This vulnerability occurs in the setStorageCfg function within /cgi-bin/cstecgi.cgi due to insufficient sanitization of the sambaEnabled parameter, enabling remote OS command injection.

The flaw grants an attacker full control over the router, which can lead to data breaches or network-wide compromise. The 9.8 CVSS score emphasizes the severity of this risk.

Immediate Action: Update to the latest firmware version and disable Samba/storage sharing features if they are not necessary.

Proactive Monitoring: Review system logs for unexpected system-level command execution.

Compensating Controls: Use a firewall to restrict access to the device's management interface.

Public Exploit Available: Yes

Urgent firmware updates are necessary to secure the device. If an update is not immediately available, disable all unnecessary features and restrict external access to the device.