A critical OS command injection vulnerability in the Totolink N300RH web management interface allows remote attackers to execute arbitrary commands.

The setPasswordCfg function within /cgi-bin/cstecgi.cgi improperly sanitizes the admpass argument, allowing a remote attacker to inject and execute arbitrary OS commands.

This vulnerability provides an attacker with full control over the affected router. With a CVSS score of 9.8, this could lead to the interception of network traffic, redirection of DNS, or the device being utilized as a pivot point for further attacks on the internal network.

Immediate Action: Update the device firmware to the latest available version provided by Totolink.

Proactive Monitoring: Monitor the device for unusual configuration changes and audit network traffic originating from the router for signs of compromise.

Compensating Controls: Disable remote access to the Web Management Interface and ensure the device is not accessible from the public internet.

Public Exploit Available: True

Owners of Totolink N300RH devices should update their firmware immediately. If no firmware update is available for a specific version, the device should be taken offline or have its management interface restricted from external access to prevent exploitation.