A critical OS command injection vulnerability in the Totolink A8000RU router allows for unauthenticated remote code execution, posing an immediate risk of full device compromise.

The flaw exists in the setAdvancedInfoShow function of /cgi-bin/cstecgi.cgi, where the tty_server parameter is not properly sanitized, allowing an unauthenticated remote attacker to inject and execute OS commands.

With a CVSS score of 9.8, this vulnerability poses a severe risk of complete device takeover. Successful exploitation can result in unauthorized access to sensitive internal network segments, potentially leading to catastrophic security breaches and loss of system availability.

Immediate Action: Patch the Totolink A8000RU device immediately by installing the latest vendor-provided firmware update.

Proactive Monitoring: Regularly audit device logs for unexpected process execution or suspicious input parameters sent to the CGI interface.

Compensating Controls: Isolate the management interface from the public internet using firewalls or VPN-only access to mitigate the risk from remote attackers.

Public Exploit Available: Yes

Immediate remediation is essential to mitigate the risk of remote compromise. Organizations should apply the latest firmware update provided by Totolink as soon as possible to protect against this known, exploitable vulnerability.