A critical remote command injection vulnerability in the Totolink A8000RU router allows unauthenticated attackers to achieve full system control.

The setVpnAccountCfg function in the /cgi-bin/cstecgi.cgi file fails to sanitize the User argument. This oversight enables an unauthenticated attacker to inject arbitrary OS commands remotely.

With a CVSS score of 9.8, this is a high-impact vulnerability. Successful exploitation grants the attacker administrative access to the router, which can be used to compromise the entire network, intercept traffic, or facilitate lateral movement.

Immediate Action: Update the affected device to the most recent firmware version provided by the manufacturer.

Proactive Monitoring: Monitor logs for suspicious input characters in web requests and watch for unauthorized VPN account modifications.

Compensating Controls: Disable remote management of the router and limit access to the internal network side only.

Public Exploit Available: Yes

Organizations should prioritize updating the vulnerable firmware. Given that this is a command injection vulnerability, it is essential to assume that any exposed device may have been compromised and to perform a security audit of the network environment post-patching.