A critical remote OS command injection vulnerability in Totolink A8000RU allows unauthenticated attackers to gain full control of the device.

The function setAppFilterCfg in /cgi-bin/cstecgi.cgi fails to sanitize the enable argument, leading to OS command injection. This allows an unauthenticated, remote attacker to execute arbitrary commands with system-level privileges.

A CVSS score of 9.8 highlights the extreme risk posed by this vulnerability. Total device compromise can lead to complete loss of network visibility, interception of sensitive data, and the use of the router as a foothold for further attacks against the internal network.

Immediate Action: Apply the latest firmware update provided by Totolink to patch the command injection flaw.

Proactive Monitoring: Monitor for unusual system processes or unexpected network traffic emanating from the router, which may indicate persistent command execution.

Compensating Controls: Restrict access to the router's web interface to trusted internal IP addresses only, preventing external exposure of the vulnerable CGI script.

Public Exploit Available: Yes

The combination of RCE capability and public exploit availability makes this a high-priority threat. Administrators must act immediately to patch the affected devices or restrict network access to the management interface to neutralize the risk of exploitation.